b"<html>\n<title> - FEDERAL IT SECURITY: THE FUTURE OF FISMA</title>\n<body><pre>[House Hearing, 110 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n \n                FEDERAL IT SECURITY: THE FUTURE OF FISMA\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               before the\n\n                  SUBCOMMITTEE ON INFORMATION POLICY,\n                     CENSUS, AND NATIONAL ARCHIVES\n\n                                and the\n\n                 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,\n                     ORGANIZATION, AND PROCUREMENT\n\n                                 of the\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              JUNE 7, 2007\n\n                               __________\n\n                           Serial No. 110-32\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n  Available via the World Wide Web: http://www.gpoaccess.gov/congress/\n                               index.html\n                      http://www.house.gov/reform\n\n\n                                 ______\n                                     \n                    U.S. GOVERNMENT PRINTING OFFICE\n39-025                      WASHINGTON : 2008\n_____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092104 Mail: Stop IDCC, Washington, DC 20402\xef\xbf\xbd090001\n\n             COMMITTEE ON OVERSISGHT AND GOVERNMENT REFORM\n\n                 HENRY A. WAXMAN, California, Chairman\nTOM LANTOS, California               TOM DAVIS, Virginia\nEDOLPHUS TOWNS, New York             DAN BURTON, Indiana\nPAUL E. KANJORSKI, Pennsylvania      CHRISTOPHER SHAYS, Connecticut\nCAROLYN B. MALONEY, New York         JOHN M. McHUGH, New York\nELIJAH E. CUMMINGS, Maryland         JOHN L. MICA, Florida\nDENNIS J. KUCINICH, Ohio             MARK E. SOUDER, Indiana\nDANNY K. DAVIS, Illinois             TODD RUSSELL PLATTS, Pennsylvania\nJOHN F. TIERNEY, Massachusetts       CHRIS CANNON, Utah\nWM. LACY CLAY, Missouri              JOHN J. DUNCAN, Jr., Tennessee\nDIANE E. WATSON, California          MICHAEL R. TURNER, Ohio\nSTEPHEN F. LYNCH, Massachusetts      DARRELL E. ISSA, California\nBRIAN HIGGINS, New York              KENNY MARCHANT, Texas\nJOHN A. YARMUTH, Kentucky            LYNN A. WESTMORELAND, Georgia\nBRUCE L. BRALEY, Iowa                PATRICK T. McHENRY, North Carolina\nELEANOR HOLMES NORTON, District of   VIRGINIA FOXX, North Carolina\n    Columbia                         BRIAN P. BILBRAY, California\nBETTY McCOLLUM, Minnesota            BILL SALI, Idaho\nJIM COOPER, Tennessee                JIM JORDAN, Ohio\nCHRIS VAN HOLLEN, Maryland\nPAUL W. HODES, New Hampshire\nCHRISTOPHER S. MURPHY, Connecticut\nJOHN P. SARBANES, Maryland\nPETER WELCH, Vermont\n\n                     Phil Schiliro, Chief of Staff\n                      Phil Barnett, Staff Director\n                       Earley Green, Chief Clerk\n                  David Marin, Minority Staff Director\n\n   Subcommittee on Information Policy, Census, and National Archives\n\n                   WM. LACY CLAY, Missouri, Chairman\nPAUL E. KANJORSKI, Pennsylvania      MICHAEL R. TURNER, Ohio\nCAROLYN B. MALONEY, New York         CHRIS CANNON, Utah\nJOHN A. YARMUTH, Kentucky            BILL SALI, Idaho\nPAUL W. HODES, New Hampshire\n                      Tony Haywood, Staff Director\n\n  Subcommittee on Government Management, Organization, and Procurement\n\n                   EDOLPHUS TOWNS, New York, Chairman\nPAUL E. KANJORSKI, Pennsylvania      BRIAN P. BILBRAY, California\nCHRISTOPHER S. MURPHY, Connecticut   TODD RUSSELL PLATTS, Pennsylvania,\nPETER WELCH, Vermont                 JOHN J. DUNCAN, Jr., Tennessee\nCAROLYN B. MALONEY, New York\n                    Michael McCarthy, Staff Director\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on June 7, 2007.....................................     1\nStatement of:\n    Bond, Phil, president and CEO, Information Technology \n      Association of America; Paul Kurtz, partner and chief \n      operating officer, Good Harbor Consulting, LLC; John W. \n      Carlson, executive director, Financial Services Roundtable/\n      BITS; and James Andrew Lewis, director and senior fellow, \n      Technology and Public Policy Program, Center for Strategic \n      and International Studies..................................    84\n        Bond, Phil...............................................    84\n        Carlson, John W..........................................   109\n        Kurtz, Paul..............................................   100\n        Lewis, James Andrew......................................   132\n    Evans, Karen S., Administrator, Office of E-Government and \n      Information Technology, Office of Management and Budget; \n      Gregory C. Wilshusen, Director, Information Security \n      Issues, Government Accountability Office; and Vance Hitch, \n      Chief Information Officer, Department of Justice...........    10\n        Evans, Karen S...........................................    10\n        Hitch, Vance.............................................    56\n        Wilshusen, Gregory C.....................................    21\nLetters, statements, etc., submitted for the record by:\n    Bond, Phil, president and CEO, Information Technology \n      Association of America, prepared statement of..............    86\n    Carlson, John W., executive director, Financial Services \n      Roundtable/BITS, prepared statement of.....................   112\n    Clay, Hon. Wm. Lacy, a Representative in Congress from the \n      State of Missouri, prepared statement of...................     6\n    Davis, Hon. Tom, a Representative in Congress from the State \n      of Virginia, prepared statement of.........................    69\n    Evans, Karen S., Administrator, Office of E-Government and \n      Information Technology, Office of Management and Budget, \n      prepared statement of......................................    12\n    Hitch, Vance, Chief Information Officer, Department of \n      Justice, prepared statement of.............................    57\n    Kurtz, Paul, partner and chief operating officer, Good Harbor \n      Consulting, LLC, prepared statement of.....................   102\n    Lewis, James Andrew, director and senior fellow, Technology \n      and Public Policy Program, Center for Strategic and \n      International Studies, prepared statement of...............   134\n    Towns, Hon. Edolphus, a Representative in Congress from the \n      State of New York, prepared statement of...................     3\n    Wilshusen, Gregory C., Director, Information Security Issues, \n      Government Accountability Office, prepared statement of....    23\n\n\n                FEDERAL IT SECURITY: THE FUTURE OF FISMA\n\n                              ----------                              \n\n\n                         THURSDAY, JUNE 7, 2007\n\n House of Representatives, Subcommittee on \n  Information Policy, Census, and National \n  Archives, joint with the Subcommittee on \n  Government Management, Organization, and \n   Procurement, Committee on Oversight and \n                         Government Reform,\n                                                    Washington, DC.\n    The subcommittees met, pursuant to notice, at 2:13 p.m. in \nroom 2154, Rayburn House Office Building, Hon. Edolpuhs Towns \n(chairman of the Subcommittee on Government Management, \nOrganization and Procurement) and Hon. Wm. Lacy Clay (chairman \nof the Subcommittee on Information Policy, Census, and National \nArchives) presiding.\n    Present: Representatives Towns, Clay, Hodes, Davis of \nVirginia, and Turner.\n    Staff present from the Subcommittee on Information Policy, \nCensus, and National Archives: Tony Haywood, staff director/\ncounsel; Adam C. Bordes, professional staff member; Jean Gosa, \nclerk; Nidia Salazar, staff assistant; Michelle Mitchell, \nlegislative assistant for Congressman Wm. Lacy Clay; Leneal \nScott, information systems manager, full committee; Charles \nPhillips, minority counsel; Victoria Proctor, minority senior \nprofessional staff member; Allyson Blandford, minority \nprofessional staff member; and Benjamin Chance, minority clerk.\n    Staff present from the Subcommittee on Government \nManagement, Organization, and Procurement: Michael McCarthy, \nstaff director; Velvet Johnson, counsel; and LaKeshia Myers, \neditor/staff assistant.\n    Mr. Towns. The subcommittee will come to order.\n    Today's hearing is a joint hearing of two subcommittees of \nthe House Oversight and Government Reform Committee on the \nimportant topic of Federal information security. We have both \nthe Subcommittee on Government Management, which I chair, and \nthe Subcommittee on Information Policy, led by my friend from \nSt. Louis, Chairman Clay.\n    We are holding this hearing jointly because computer \nsecurity presents challenges both of management and of \ninformation policy, privacy in particular. I will briefly \ndiscuss some of the management issues that I see, and then I \nwill yield to Chairman Clay for his opening remarks.\n    The security of our technology has gotten a lot more \nattention in the past 2 years, mainly because of the serious \nbreaches of security that have come to light. The most obvious \nexample, of course, was the loss of a laptop computer \ncontaining sensitive personal data on millions of our Nation's \nveterans. Fortunately, that computer was recovered and the data \nwas not accessed. But the episode served as a real wake-up call \nabout how quickly and easily security can break down. Our \ncommittees' investigations learned that similar security \nbreakdowns had occurred in every Government agency we surveyed.\n    These security issues are on the minds of American \ncitizens. I hear from my constituents that they are worried \nabout identity theft and privacy and want to know what is being \ndone to keep their personal data safe from hackers and other \ncriminals.\n    It has been 5 years now since Congress passed the Federal \nInformation Security Management Act. This law has done a lot to \ncreate standards and accountability for our computer security, \nbut, given our findings that security breaches are still far \ntoo common, we want to ask today what the next steps should be. \nWhat works. We would like to get that information. And what \ndoes not work? What are some new approaches we should try?\n    From a management point of view, there are a few specific \nissues I hope our witnesses can address. First, we need to know \nif complying with FISMA makes computer systems secure in the \nreal world, or whether there are other factors to measure and \nrequire that would increase actual security.\n    No. 2: how can the Government move away from patching \ntogether security for different equipment after the fact and \nmove toward buying equipment and systems with security already \nbuilt in?\n    And the third: what lessons can we learn from the private \nsector on how to make systems more secure? Of course, the \nprivate sector has its own security problems, and we all \nrecognize that, so we should look at what mistakes they are \nmaking, in addition to what they are doing right.\n    Thank you to all of witnesses that are here today. We in \nCongress will benefit from your advice as we consider what new \nlegislation is needed to improve computer security.\n    [The prepared statement of Hon. Edolphus Towns follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9025.001\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.002\n    \n    Mr. Towns. At this time I would like to yield to the Chair \nof the other subcommittee that is sponsoring this hearing \ntoday, Congressman Clay.\n    Mr. Clay. Thank you so much, Chairman Towns, especially for \nagreeing to host this joint committee with the Information \nPolicy Subcommittee.\n    Let me start out by saying good afternoon. I join my good \nfriend and colleague, Chairman Towns, in welcoming everyone to \ntoday's joint hearing to evaluate the implementation of the \nFederal Information Security Management Act of 2002, widely \nknown as FISMA.\n    Today's hearing continues a bipartisan effort to evaluate \nprogress under FISMA and find ways to improve our Government \ninformation security for the benefit of all Americans. \nWeaknesses in Federal information security threaten the \noperation of Federal programs and the privacy of individuals \nwhose personal information is maintained in Government computer \nsystems. Congress passed FISMA to require Federal agencies to \nadopt stronger measures to identify and minimize potential \nrisks to the security of information and information systems.\n    Although important progress has been made, recent data \nbreach incidents involving the Department of Veterans Affairs, \nthe Internal Revenue Service, and other agencies tells us that \nGovernment information systems remain vulnerable to hackers and \nsecurity breaches.\n    In its recent annual report to Congress on FISMA \nimplementation efforts, the Office of Management and Budget \nstates that progress in fiscal year 2006 was, at best, mixed. \nSome agencies have improved their performance under FISMA, but \nothers, including the Department of Homeland Security and the \nState Department, continue to do a poor job of securing their \nnetwork. Twenty-one out of 24 major agencies showed major \nweaknesses in their information security controls, and agency \nInspectors General cite major flaws in the quality of agency \ncertification and accreditation processes. Thus, it is clear \nthat our current practices and policies need to be reviewed to \nsee where improvements can be made.\n    I thank all of our witnesses for appearing today and look \nforward to your testimony.\n    Mr. Chairman, I yield back. Thank you.\n    [The prepared statement of Hon. Wm. Lacy Clay follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9025.003\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.004\n    \n    Mr. Towns. Thank you very much.\n    I would now like to yield to Mr. Turner of Ohio for his \nopening statement. Thank you.\n    Mr. Turner. Thank you, Chairman Towns and Chairman Clay, \nfor holding this joint oversight hearing today on information \ntechnology security and the future of the Federal Information \nSecurity Management Act.\n    Ranking Member Davis was the driving force behind the \npassage of FISMA as part of the E-Government Act in 2002. I \ncommend his continued leadership on the issue of IT security in \nour Federal Government.\n    Breaches in IT security are not only a threat to our \nnational security, but pose a threat to private citizens' \ninformation. In fiscal year 2006, several agencies saw \npotential breaches in their IT security, including the VA, the \nDepartment of Transportation, the Department of Energy, the \nIRS, and the Department of State. According to a September \n2006, report in the Washington Post, more than 1,100 laptop \ncomputers have vanished from the Department of Commerce since \n2001, including nearly 250 from the Census Bureau containing \nsuch personal information as names, incomes, and security \nnumbers.\n    As a result of the work in the 109th Congress, the \nSubcommittee on Federalism and the Census' staff issued an \ninterim report on the breach and Republican staff continues its \ninvestigation to this date.\n    I also sit on the House Veterans Affairs Committee, and, as \nmost of you know, in May of last year we dealt with a serious \npotential breach in the VA's IT systems when an employee's \nlaptop was stolen from his residence. That laptop contained the \nSocial Security numbers of 26.5 million of our Nation's \nveterans. While the laptop was recovered and the data therein \nwas not compromised, this is an example of why oversight on \nthis topic is important.\n    Under then Chairman Buyer's leadership, the House Veterans' \nAffairs Committee held six hearings on the issue of cyber \nsecurity in the VA, which culminated in the House passage of \nH.R. 5835, the Veterans' Identity and Credit Security Act of \n2006, which incorporate provisions from this committee.\n    I look forward to reviewing the information that we receive \nfrom the witnesses today about FISMA's compliance, as well as a \nbroad range of public and private sector IT security issues.\n    Thank you.\n    Mr. Towns. Thank you very much, Mr. Turner.\n    Mr. Hodes.\n    Mr. Hodes. Thank you, Mr. Chairman.\n    I thank both Chairman Towns and Chairman Clay for holding \nthis important hearing on Federal information technology \nsecurity. I also appreciate the witnesses who are here today, \nand I look forward to your testimony on these issues.\n    Congress passed FISMA in part to make sure that citizens' \npersonal information was safe with its Federal Government. In \naddition to protection from identity theft, security systems \nalso ensured that the American people are receiving the most \nefficient service possible from their Federal agencies. But the \nrecent data leaks which have been mentioned, including at the \nDepartment of Veterans Affairs, Transportation, and Energy, as \nwell as at the IRS, prove there are still serious flaws in the \nFederal Government's information defense system.\n    The Office of Management and Budget recently released a \nreport stating that there were over 5,000 security incidents \nwithin Federal agencies in fiscal year 2006, up 18 percent from \nthe previous year.\n    Reports of inadequate security controls at the Departments \nof Defense, Homeland Security, and State also raise concerns \nthat protecting electronic data is also a significant threat to \nour national security.\n    When it comes to information security, the old phrase \n``good enough for Government work'' does not apply.\n    I hope that today's hearing will shed light on the \nchallenges facing FISMA implementation and potential solutions \nto those issues.\n    Thank you. I yield back my time, Mr. Chairman.\n    Mr. Towns. Thank you very much.\n    Now we will turn to the first panel. It is committee policy \nthat all witnesses are sworn in, so please stand and raise your \nright hands.\n    [Witnesses sworn.]\n    Mr. Towns. Let the record reflect that they all responded \nin the affirmative. Thank you. You may be seated.\n    Our first panel features the experts on information \nsecurity in the Federal Government. Karen Evans is the \nAdministrator of the Office of E-Government and Information \nTechnology at the Office of Management and Budget. She is an \nexperienced IT professional and leads the administration's \nprograms on information security.\n    Welcome to the committee.\n    Also, we would like to welcome Mr. Wilshusen, who is the \nDirector of Information Security Issues at the Government \nAccountability Office [GAO]. He is also a long-time expert on \nthis topic and has testified before this committee several \ntimes.\n    Welcome back.\n    Vance Hitch is the Chief Information Officer at the \nDepartment of Justice. He manages Department information and \ntechnology programs with a budget of $2.4 billion--that is B as \nin Boy--and has more than 30 years of experience in managing \nGovernment IT projects.\n    And let me note that your entire statement will be included \nin the record. If you could just summarize within a 5-minute \nperiod, we would certainly appreciate it, which will allow time \nfor questions and answers.\n    I know you know the procedure in terms of when the yellow \nlight comes on that is caution, and when the red light comes \non, that means we hope that you will stop.\n    Ms. Evans, will you proceed?\n\n   STATEMENTS OF KAREN S. EVANS, ADMINISTRATOR, OFFICE OF E-\nGOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND \n BUDGET; GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION SECURITY \n  ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE; AND VANCE HITCH, \n        CHIEF INFORMATION OFFICER, DEPARTMENT OF JUSTICE\n\n                  STATEMENT OF KAREN S. EVANS\n\n    Ms. Evans. Good afternoon, Chairman Towns, Chairman Clay, \nand members of the committee. Thank you for inviting me to \ndiscuss the status of the Federal Government's efforts to \nsafeguard our information and information systems. My remarks \ntoday will focus on our strategy for addressing continuing \nchallenges, securing and protecting the information of our \ncitizens.\n    OMB has taken a number of steps to improve information \nsecurity and privacy through effective use of policy tools, our \nGovernment-wide management processes, and leveraging our \nrequirements in the marketplace. Overall, Departments continue \nto improve their programs. The specific information has been \nincluded in the annual submission of the Federal Information \nSecurity Management Act Report to Congress and has been \nincluded in my written testimony today.\n    In 2006, as noted, several agencies experienced high-\nprofile data security breaches involving personally \nidentifiable information.\n    I have also included in my written statement many of the \nactivities the administration has also taken to date to address \nthese issues.\n    I would like to mention specific activities OMB is engaging \nnow to move beyond compliance and to improve information \nsecurity and privacy. Some of these initiatives include: the \ninformation technology security line of business, standard \nidentification for Federal employees and contractors, the \nadoption of a common desktop security configuration, and \nGovernment-wide contracts for data encryption.\n    Our most recent initiative is: focus on helping agencies to \nprocure secure software and applications. For example, we \nrecently completed a Government-wide contract through the GSA's \nsmart buy initiative for anti-virus software, and we are \nnearing completion on another smart buy contract for Federal \nInformation Processing Standards 140-2 certified encryption \ntools, which will include the ability for State and local \ngovernments to also purchase these tools at the Federal \nGovernment prices from this contract.\n    We also have recently issued a memorandum requiring \nagencies to adopt common desktop security configurations for \nWindows XP and the Vista operating system, with a target \ncompletion date of February 1, 2008. The policy also requires \nsecure configurations to be included in their agency \nprocurements going forward from June 30, 2007.\n    We are leveraging the work that has been completed \ncollectively and cooperatively by Microsoft, the National \nInstitute of Standards and Technology, Department of Homeland \nSecurity, and the Department of Defense. OMB has now provided \nthe recommended language for the agencies to use when they are \nissuing new acquisitions.\n    The administration takes its information security and \nprivacy responsibilities very seriously. These actions will \nhelp reduce the security incidents we have been experiencing, \npermit us to better respond when prevention fails, and provide \nus a more complete and timely view of agency performance.\n    Agencies spend more than $6 billion a year on controls to \nprotect information and computer systems, and we will continue, \ntrough our oversight and the President's management agenda \nscorecard process, to ensure that this money is wisely spent.\n    Finally, the administration intends to continue to focus on \nprotecting the personal information of our citizens, while \nimproving our services. An information security program, when \nimplemented correctly, results in protection of all \ninformation, including personal information.\n    I look forward to working with you to improve our security \nand our privacy programs and welcome any suggestions you may \nhave. I would be happy to take questions when appropriate.\n    [The prepared statement of Ms. Evans follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9025.005\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.006\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.007\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.008\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.009\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.010\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.011\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.012\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.013\n    \n    Mr. Towns. Thank you very much.\n    Mr. Wilshusen.\n\n               STATEMENT OF GREGORY C. WILSHUSEN\n\n    Mr. Wilshusen. Chairman Towns, Chairman Clay, members of \nthe subcommittee, thank you for inviting me to testify at \ntoday's hearing on information security in the Federal \nGovernment.\n    For many years GAO has identified weaknesses in information \nsecurity as a Government-wide, high-risk issue with potentially \ndevastating consequences, such as intrusions by malicious \nusers, compromised networks, and the theft of personal \nidentifiable information. Over the past year or so, we have \nseen many of these consequences become reality.\n    Recently reporting information security incidents at \nFederal agencies have placed sensitive data at risk, including \nthe theft, loss, or improper disclosure of personally \nidentifiable information on millions of Americans, thereby \nexposing them to a loss of privacy and the potential harm \nassociated with identity theft. The wide range of these \nincidents underscores the need for improved security practices.\n    Today I will discuss the weaknesses that persist in \ninformation security controls at Federal agencies, progress \nthat the agencies have made in implementing FISMA, and \nopportunities to enhance the usefulness of the annual FISMA \nreports and independent evaluations.\n    Mr. Chairman, serious weaknesses continue to threaten the \nconfidentiality, integrity, and availability of Federal systems \nand information. Almost all major agencies were cited by GAO or \ntheir Inspectors General or independent auditors for \nsignificant control deficiencies.\n    For example, 22 of the 24 agencies did not have adequate \naccess controls in place to ensure that only authorized \nindividuals could view, access, or manipulate data.\n    Even basic controls were sometimes inconsistently \nimplemented. For example, well-known vendor supply passwords \nwere not changed. Users were granted access privileges that \nexceeded their need. Network devices and services were not \nsecurely configured. Sensitive information was not encrypted, \nand audit logs were not adequately maintained.\n    Agencies also lack effective physical security controls. \nFor instance, many of the data losses that occurred at Federal \nagencies were a result of physical thefts or improper \nsafeguarding of laptops or other portable devices.\n    An underlying cause for these weaknesses is that agencies \nhave not fully or effectively implemented the information \nsecurity programs required by FISMA. As a result, agencies may \nnot have the assurance that controls are in place and operating \nas intended to protect their information systems, thereby \nleaving them vulnerable to disruption, attack, or compromise.\n    Nevertheless, Federal agencies report steady progress in \nimplementing FISMA control activities. For example, in fiscal \nyear 2006 the number of major agencies that now have a \nsubstantially complete inventory increased from 13 to 18, and \nthe number of percentages of Federal systems Government-wide \nthat have been certified and accredited, tested and evaluated, \nand have tested contingency plans all increased. The percentage \nof Federal employees and contractors who received security \nawareness increased from 81 to 90 percent, while the percentage \nof employees with significant security responsibilities who \nreceived specialized training also increased. However, IGs at \nseveral agencies sometimes disagreed with the agency-reported \ninformation and identified weaknesses in the processes used to \nimplement some of these activities.\n    OMB has taken steps to improve the security of Federal \ninformation by recommending agencies encrypt all sensitive \ninformation on mobile computers and devices and requiring \nagencies to adopt common security configurations for Windows XP \nand Vista operating systems. If effectively implemented, these \nsteps could strengthen agencies' controls over sensitive \ninformation.\n    Opportunities exist for enhanced FISMA reporting. Most of \nthe performance metrics used for FISMA reporting measure the \nextent to which a control has been implemented. However, with \ntwo exceptions they don't address the effectiveness of the \ncontrol. Additional information on control effectiveness or the \nquality of processes used to implement the controls would help \nagencies, OMB, and the Congress to better ascertain the state \nof Federal information security.\n    Improvements should also be made to the independent annual \nevaluations performed by the IGs. The IGs lacked a common \napproach and used varying scopes and methodologies for \nperforming the evaluations, making comparisons across agencies \nover time less meaningful.\n    The President's Council on Integrity and Efficiency has \ndeveloped a framework which might provide a more consistent \napproach for the evaluations.\n    In summary, Federal systems and information remain at risk, \ndespite reported progress in implementing required information \nsecurity controls.\n    Mr. Chairman, this concludes my opening statement. I will \nbe happy to answer your questions.\n    [The prepared statement of Mr. Wilshusen follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9025.014\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.015\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.016\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.017\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.018\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.019\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.020\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.021\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.022\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.023\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.024\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.025\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.026\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.027\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.028\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.029\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.030\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.031\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.032\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.033\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.034\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.035\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.036\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.037\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.038\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.039\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.040\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.041\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.042\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.043\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.044\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.045\n    \n    Mr. Towns. Thank you very much.\n    Mr. Hitch.\n\n                    STATEMENT OF VANCE HITCH\n\n    Mr. Hitch. Good afternoon and thank you, Mr. Chairman and \nmembers of the committee, for the invitation to speak to you \ntoday.\n    As the Chief Information Officer for the Department of \nJustice, I am proud to discuss the accomplishments of the \nDepartment in the area of information security and FISMA \ncompliance during my 5 years of service at the Department.\n    Your Honor has asked me to discuss DOJ's efforts to comply \nwith FISMA and the role the CIO Council plays in addressing \nGovernment-wide security challenges.\n    In my role as the CIO, I develop IT security policies, \nprocedures, and tools, and then coordinate their implementation \nacross many components. However, there are aspects of IT \nsecurity which are not covered by FISMA, and I try to play the \nrole of both mentor and facilitator to help our components \nbalance mission-specific defensive security along with \ncompliance-related security.\n    My testimony today will cover both what the Department does \nto ensure compliance and what we do to improve our defensive \nsecurity posture across all of our 40 components within the \nDepartment of Justice.\n    DOJ has received a grade of A-minus for FISMA compliance, \nand we are very proud of this accomplishment. The majority of \nwork, and therefore the credit, belongs to the many information \ntechnology specialists supporting over 200 FISMA reportable \nsystems that we have. However, we at DOJ want to go beyond \ncompliance and to support our components with mission-specific \ndefensive security.\n    Today's world of cyber attacks has changed. A denial of \nservice attack is no longer viewed as a significant \naccomplishment in the hacker community. Hackers now have more \nambitious goals, such as placing explodable code on computers, \nor key-logging, to capture user-entered information. Many of \nthe attacks come from foreign countries and criminal \nenterprises both here and abroad.\n    When I first became the CIO at DOJ, DOJ had a small \nsecurity group within our policy office. One of my first \norganizational changes was to introduce a corporate level chief \ninformation security officer and to set up an IT security \noffice. Our initial efforts focused on establishing a basic \nsecurity program and developing a means to track and report \nprogress back to OMB.\n    An obvious initial need was to bring on good people with a \nbackground in IT security. We hired from other agencies and \nalso recruited people from the private sector. We also utilized \nthe National Science Foundation's Cyber Corps program and have \ncontinued to hire personnel from this valuable initiative.\n    Once we had the right people on board, our next focus was \nto increase awareness and training. Our security staff updated \nand improved our system inventory and enhanced our policies \nrelating to certification and accreditation and patch \nmanagement. Once these basics were in place, we pushed \nourselves to improve our efficiency and effectiveness. Included \nin this effort was the new standardized method for all \ncomponents to report incidents to a centralized DOJ computer \nemergency readiness team, which then had the responsibility of \ncoordinating with the US-CERT. Our security team worked with \nthe components to choose Department-wide tools for scanning and \nlogging events across the networks.\n    Another key component of this phase was reaching on a \nstandardized desktop and laptop configuration for our \nDepartment-wide office automation program. This move not only \nimproved our IT security, but also better leverages our \nsignificant buying power.\n    As the Department moves forward, we are heavily influenced \nby the very significant and numerous losses of PII--personally \nidentifiable information--that have occurred in both the \nGovernment and the private sector. DOJ is addressing the \nprotection of PII by modifying our policies related to laptops, \nthumb drives, and other IT tools.\n    In future efforts, we will be focusing on operationalizing \nthe policies and processes included in the new systems or in \nupdates that we make to existing systems. Most importantly, we \nwant to move beyond FISMA's identification of vulnerabilities \nto confirming the completion of security corrective actions.\n    We intend to insert new language in our life cycle \ndevelopment policies and our new contracts and into our C&A \nbusiness processes. We are planning to implement a Justice \nsecurity operations center by building off the work already \ndone by the FBI. This JSOC will house the CERT team and will \nalso house the security engineering staff to support the \ncomponents in both emergency and non-emergency tasks. This will \ngive us improved situational awareness.\n    The CIO Council is an outstanding group of individuals who \nmeet to discuss a wide range of issues affecting the entire \nGovernment IT community. It is a great forum to further \nunderstand different perspectives on pending policies or \nlegislation.\n    The Council also endorsed the idea of an IT security line \nof business, and recently DOJ was selected by OMB to run an \ninformation security line of business.\n    The long-term success of the IT security program at DOJ \ndepends on much more than achieving a high FISMA grade. We are \nshifting our focus to defending our missions, which is more \nthan just the systems. It is important to remember that \nsecurity is a balance of mission, threat, vulnerability, cost, \nand compliance.\n    My customers in law enforcement, our attorneys and our \ncorrectional officers, expect reliable and secure collaboration \ncapabilities. As we build new systems and upgrade our older \nsystems, security is a crucial piece of the solution.\n    I encourage Congress to continue to support its Government-\nwide efforts such as US-CERT, the CIO Council, and Cyber Corps, \nwhich enriched our capabilities by bringing talented people \ntogether to share information and solutions.\n    The fight is an ever-changing fight, and we all must stay \nfocused on the new threats and the new vulnerabilities.\n    Thank you for your time this afternoon. I will be very \nhappy to answer any questions you may have.\n    [The prepared statement of Mr. Hitch follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9025.046\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.047\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.048\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.049\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.050\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.051\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.052\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.053\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.054\n    \n    Mr. Towns. Thank you.\n    Let me thank all three of you for your testimony. We will \nnow move to the question period.\n    I am the sponsor of a bill that would regulate spyware, \nwhich passed the House yesterday. The reason for the bill is \nthe complaints I have about spyware, not just from consumers \nbut also from large companies that have to deal with it. One \ncomputer manufacturer has said that problems related to spyware \ncause most of their customers' complaints. Another company has \nsaid that spyware accounts for about 50 percent of all tech \nsupport calls.\n    Dealing with spyware is adding hundreds of millions of \ndollars in costs to companies. My question is: how much money \nand time do computer experts in the Government spend keeping \nspyware off Government computers?\n    Let me just go right down the line with you, Ms. Evans.\n    Ms. Evans. Mr. Towns, I can't answer the specific question \nas it relates to spyware, because that is one piece in a \ncomprehensive program. What we do track from an OMB perspective \nand what we look at from a cost perspective is ensuring that \nthey take proper precautions within each of the investments. So \nwe are capturing the information of what agencies intend to \nspend and plan to spend on security, and it has been increasing \nevery year.\n    For the President's budget that was submitted that is \ncurrently under review now, the fiscal year 2008 budget, it is \nanticipated that included in that is $6 billion for the Federal \nGovernment as a whole to deal with information security/\ninformation protection.\n    Mr. Towns. Thank you.\n    Mr. Wilshusen. And I also can't comment directly on the \ncost associated with searching for and cleansing systems from \nspyware. I can say that it is an issue and that often spyware \nis quite difficult to identify on a system, so it does take \nsome effort to identify it and then to rid it from the system, \nand so there is a cost associated with time and resources to do \nthat.\n    Mr. Towns. Right.\n    Mr. Hitch. Likewise, I can't comment on the specific cost, \nbut I would agree with you that it is a very large problem, and \njust a general problem of bugs and whether they are malicious \nor inadvertent that are in the software that we all use are a \nhuge problem. We spend a tremendous amount of money on what we \ncall patch management, which is basically implementing patches \nthat have been found to problems within the software that we \nall buy.\n    So what I think part of the solution in the future is--and \nI know that OMB is very much active in this and I am working \nalong with the CIO Council on a committee which is working on \nthis problem right now--is to go back in the supply chain and \nto talk to the software vendors about their processes that they \nuse to develop the software, making sure that they are rigorous \nand have certification or at least standards for them to meet \nbefore we buy their software.\n    The other answer is to kind of put language in our \ncontracts which ensure that we are protected from those kind of \nthings and have penalties when we find something that is \nuntoward.\n    Mr. Towns. Thank you. Thank you very much.\n    Mr. Wilshusen. And if I may add, sir, I would agree with \nthat, because one of the critical causes for most of the \nweaknesses we identify, or many of the weaknesses we identify \non our information security reviews is the fact that systems \nand operating systems are not configured securely, and that \npatches are not installed in a timely manner, and we are able \nto exploit those vulnerabilities in order to increase the level \nof access on a particular audit, and it is one of the root \ncauses for many of the problems that Federal agencies face in \nimplementing their security.\n    Mr. Towns. All right.\n    Let me ask you, and I guess we will start with you, Ms. \nEvans, do the FISMA reports measure results or just how \neffective the agency can complete the paperwork exercise?\n    Ms. Evans. Mr. Chairman, this is a complicated question, \nand that is why I wanted to have my remarks, and I specifically \nsaid going beyond compliance. If an agency chooses to just \ncomply, that they view it as a paperwork exercise and look at \nthe metrics and the activities that we have, then it will \ngenerate reports and the agency will not be secure. They will \nnot have good management practices in place. They may have good \nmetrics that are reported in because they will have good \nnumbers, and that is why it is critical that we are working \nwith the Inspectors General to have the quality aspect be \nreviewed of those management processes.\n    So what we are really trying to do is get beyond \ncompliance. If you really just look at the letter of the law \nand look at what is there, you could generate an environment \nwhere the agency is just cranking out reports so that we can \nreview those. That would not be representative of a secure \nprogram.\n    But if it is properly implemented, the framework with it, \nand really focusing on the risk and the information that you \nhave, and having the quality of your processes evaluated, then \nFISMA is measuring what a good program would have, and so that \nis why, through our oversight, we are working with the agencies \nso that we can move them beyond a compliance type of ``I have \nto get this report in to OMB and in to Congress,'' and really \nfocus on the results of securing the information that they are \ncollecting.\n    Mr. Towns. Yes.\n    Mr. Wilshusen. And if I may add, I would also say that I \nagree with what Ms. Evans has said in that if agencies are \nusing this process as a paperwork exercise just in order to \ncomply with the law, then they are missing the benefit that \nFISMA offers, because FISMA is based on sound information \nsecurity principles, and the agencies should be more concerned \nabout implementing the processes behind some of the metrics \nthat are being used.\n    As I mentioned in my opening remarks, many of the \nperformance measures that are now being used to measure \nimplementation of FISMA are based on merely implementing the \ncontrol. It does not address or reflect the effectiveness of \nthose controls. That is why I believe the metrics and the \nreporting procedure under FISMA should further address the \neffectiveness of controls that are being implemented, not just \nwhether or not a control has been implemented.\n    Mr. Towns. Right.\n    We have been joined by the ranking member of the full \ncommittee, Mr. Davis of Virginia. At this time I would like to \nyield 5 minutes to the ranking member from Virginia, Mr. Davis.\n    Mr. Davis of Virginia. Thank you very much. I ask my \nopening statement be put in the record.\n    [The prepared statement of Hon. Tom Davis follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9025.056\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.057\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.058\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.059\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.060\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.061\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.062\n    \n    Mr. Davis of Virginia. I apologize I wasn't here earlier. I \nhave a bill pending upstairs in another subcommittee. I am \ngoing to have to go back and forth.\n    Ms. Evans, let me start with you. What changes or \nimprovements is your office proposing for the 2007 FISMA \nguidance? Do you plan to issue new or updated guidance \nregarding Circular A-130?\n    Ms. Evans. Right now the draft guidance is out for the \nagencies to review. We are open to consideration for changes \nthat could occur in that. Pretty much right now we are holding \nthem steady, but really looking to the effectiveness of the \nmeasures and the quality of the processes.\n    Mr. Davis of Virginia. OK. Federal information security has \nbeen high on the GAO risk list for several years. What are you \ndoing to address the areas of weakness that they have \nidentified and that would remove the Government-wide \ninformation security from the list? How are we attacking this? \nAnd is there anything legislatively that we need to do to give \nyou additional tools?\n    Our biggest fear is that we pass these laws, we have annual \nreport cards. Everybody's sitting here fat, dumb, happy. If you \nask the average Member what FISMA is, they think it is a new \ncola or something. They are really not into this. But the \nminute you get something approaching a cyber Pearl Harbor or \nsomething everybody is going to be pointing fingers and saying \nwhat did you do about it. So I am asking: what are we doing \nabout it at this point?\n    Ms. Evans. Well, we are moving beyond compliance. Chairman \nTowns just asked the question about FISMA and the reporting and \nthe metrics and are we just in a paperwork exercise or are we \nreally achieving the results that were intended by the \nlegislation going forward. I feel the legislation is sound. I \nknow you introduced a modification which deals with breach, and \nthat also obviously needs to be addressed as far as \nnotification to citizens and entities. However, I really \nbelieve where we are at right now is in the execution of what \nwas intended with the law. We have gotten the basic foundation \nin place, but we have to get agencies really focused on what is \nthe result intended--having good, sound management practices in \nplace, using the tools that we have.\n    For example, with us spending $65 billion in information \ntechnology--and Mr. Hitch hit on this--we should be very \ndemanding of the industry about what we need to have built into \nour applications, what the software should have, not making \nthings that are more convenient for system administration types \nof activities and having those open so that is easier to \nmaintain, but actually having that shut down where agencies \nhave to make a conscious decision and balance that risk.\n    So I really think that we need to improve the execution of \nwhat we are doing, what was intended by the law, and in that \nway you can get the quality and assess the quality.\n    Mr. Davis of Virginia. Is there an issue as we ask our \nmanagers to do more and more, not just with FISMA but a whole \nvariety of new jobs we give them, where we probably should be \nadding funding, or from an appropriations perspective are we \ndoing enough to back this up, or are we just saying this is \nanother box to check, we expect you, with your limited time, to \njust add this to the list, which forces a number of difficult \nchoices.\n    My experience has been managers are focused on \naccomplishing the mission. This is more cost avoidance, and it \ntends to be more check the box.\n    Do we need to do a better job of funding it in certain \nareas, and are we getting the right input from Government to do \nthat?\n    Ms. Evans. Well, the way that our policy is set up, sir, is \nfor agencies to really look at the services they are doing and \nthen ensuring that security and privacy and the cost to \nmaintain that is built into the investment up front. If an \nagency is in a compliance mode and they view FISMA and the \nreporting as a check mark exercise, then when something happens \nor the proper precautions aren't put in place it is always more \ncostly to go back in afterward and fix things. So we really are \nviewing from our capital planning process, our budgeting \nprocess, how all of this is set up, that agencies really look \nat this in the beginning. It is one of many responsibilities \nthat everyone has when you are going forward to provide a \nservice for the citizen or internally for businesses or what \nyou are doing.\n    Mr. Davis of Virginia. I just want to get my last question \nin.\n    Mr. Hitch, let me just ask you, does the OMB guidance allow \nfor an accurate measurement of the status of an agency's IT \nsecurity program? Are you getting appropriate guidance, do you \nthink?\n    Mr. Hitch. I have to say I give FISMA good grades overall. \nI think it has helped me through the years to give visibility \nto IT security, to make sure that management understands the \ncriticality of it, and so forth, and gives me a little bit of \nbacking when I go for funds and so forth.\n    I do think the bar has gone up each year, and I think that \nis appropriate. I think the bar should continue to go up, \nbecause the general level of IT security in the Government is \nbetter.\n    As I said in my opening statement, the direction that we \nare going--and I think that is the direction FISMA will go--is \nmore operational aspects of making sure that we are \nimplementing all the controls that we need to implement.\n    I mentioned our security operations center. Situational \nawareness is the other thing. Right now we are aware when we \nhave incidents, but the question is are we aware soon enough to \nminimize the risk, to minimize the impact of a specific \nincident, to tell other components within our organization that \nthis situation has arisen, and to mitigate the overall impact \nof it. So we are going for situational awareness and we are \ngoing for making sure that we are addressing all of the items \nin our programs, is what we call it, the items where we found \nvulnerabilities, to fix them. Because one of the things that a \nC&A, which is measured by FISMA, makes you do is to create a \nprogram of action to milestones to say you are going to fix \nthem, it leaves it to your judgment whether or not you are \ngoing to let the system continue to operate.\n    What we have found is we are always aware. When an auditor \npoints out that there is a problem in a system, we are always \naware of it because we have done our homework and we have done \nthese analyses and so forth, but we haven't fixed them all. We \nare fixing them in order of priority based on how significant \nthey are, what we think the risk of them is. So we are going to \nreally focus on trying to get those pro-ams down and get as \nmany of the risks as we can accomplished.\n    Mr. Clay [presiding]. Thank you. The gentleman from \nVirginia's time has expired.\n    I recognize the gentleman from New Hampshire, Mr. Hodes.\n    Mr. Hodes. Thank you, Mr. Chairman.\n    As a recent Member of Congress, I am just beginning to get \nmy hands around the dimensions of the issues that we are \ndiscussing here today, and the reports that you have provided \nand the testimony are very helpful, so I appreciate that.\n    Has anybody done a study that would tell us or help us \nquantify the kind of dollar losses the Federal Government is \nsuffering as a result of the issues that we are dealing with \ntoday in terms of lost productivity, lost time, lost hardware, \nlost software, what it is costing us on an annual basis to deal \nwith security breaches and other problems that, if we were in a \nperfect world, we wouldn't have to deal with?\n    Mr. Wilshusen. We have not done such a review and we have \nnot been requested to do such a review, but we would be willing \nto work with you and your staff if you would like to have one \ndone.\n    Mr. Hodes. Because I noted someone testified that there was \n$6 billion annually being spent for controls over computer \nsystems, and my guess would be that we are losing significantly \nmore money than that in the Government for lack of compliance \nand lack of ability to meet all the goals that we are trying to \nmeet.\n    Mr. Wilshusen. The cost could be significant. I know with \nthe VA theft of last year there was testimony that, at the time \nwhen the laptop had not been recovered, that the VA was \nconsidering providing credit monitoring and other services to \nthe veterans. At some of the hearings they said it could cost \nanywhere from between, like, $30 to $100 per service member \nthat was affected. When you multiply that by 26.5 million \nmembers, that is a big chunk of change.\n    Mr. Hodes. I understand that, based on reports from the \nInspectors General of each agency that were published during \n2006, only 19 of 25 agencies reported to have an effective \nstrategy in place to remedy security weaknesses. I am hoping we \nare making improvements. But in order for these agencies to \nprovide services, many agency information systems are \ninteroperable.\n    Am I correct in understanding that we really are dealing \nwith the weakest link in the chain; that if one agency is \ndeficient, then the entire system is really brought down to the \nlevel of that agency?\n    Ms. Evans. Yes, sir, that is the simplest answer, that we \nare as strong as our weakest link. That is why we are taking \nsteps beyond just the reporting and looking at the metrics, and \nthings such as the standard desktop configuration and having \nthat deployed across the entire Federal Government raises the \nbar, and then also reduces our time to patch so that it will \nraise the security overall. So these are execution steps now \nthat we are in because of the exact situation that you just \ndescribed.\n    Mr. Hodes. Now, I would like to just think outside the box \nfor a moment. Given where we are today and given the \nvariability that I have heard in terms of how agencies are \ndoing--and it sounds, Mr. Hitch, like the DOJ is doing a \ncommendable job and that you have placed an enormous emphasis \non doing what you need to do to bring things up to snuff in \nterms of your information, and I understand that the CIOs are \nmeeting regularly. Is there a point person, one point person \nwho is helping to manage the issues around information security \nand the compliance with FISMA that we have, or is it spread \naround the Government? And do we need some person to take \ncontrol of this and help direct all these efforts, or is what \nwe have in place adequate?\n    Ms. Evans. Sir, I will take the first shot at that.\n    Mr. Hodes. OK.\n    Ms. Evans. I would say that the point person for the \nadministration from a policy perspective and a coordination \nperspective is myself. The reason being is I am also the \nDirector of the CIO Council. So I work directly with the \nDepartment of Homeland Security, which manages our US-CERT \noperation, and also does the operational aspects and has \nGovernment-wide looking across the board from an operational \nperspective.\n    What we are doing from a budget perspective and then \nanalyzing several tools that I have with, say, for example, the \ninformation security line of business and the infrastructure \nline of business, we are bringing those together so that we can \nthink outside the box.\n    For example, every agency has a network, and your example \nof the weakest link, is it necessary for every agency to \nmaintain a presence on the Internet? If you don't have a strong \nenough staff to fully man it 24 by 7, be aware of it, like Mr. \nHitch has described, maybe that agency should be getting some \nof its services and its expertise from another agency.\n    We have identified across the board that information \nsecurity professionals are a mission critical need within the \nFederal Government. We have identified how many we have \nonboard, how many we need to have across the Federal \nGovernment, and we are managing and leveraging those resources \nall the way across from people to the actual hardware and \nservices that we procure. So my office puts together the \npolicies and then analyzes the investments and the requests \nthat come in and then make a recommendation so that the \nPresident's budget will reflect those policies and then the \nagency's ability to implement those.\n    Mr. Hodes. And, No. 1, do you have enough resources? And I \nalways hear in all these committee hearings, no, we never have \nenough resources, but you may. And, No. 2, is there any \nlegislation that we need to pass to make FISMA work better and \naddress this issue?\n    Ms. Evans. Well, the President's budget, sir, reflects his \npriorities accordingly, and so the agencies then budget for \nthis, and that would be in there as the risk-based approach as \nthey go forward. I would say we have the resources that we \nneed, $65 billion, $6 billion in this area is a lot of money \nthat is being spent, so we need to use it appropriately.\n    I have really looked at the FISMA legislation and I really \nfeel that the tenets, the principles, the things that are there \nare the right framework, and Congress had it right when they \npassed it. What we really have to look at is the agencies' \nexecution, and looking at the guidance that we are providing \nfrom this, looking at the policies of how we have interpreted \nsome of that legislation, and work with you to enhance those so \nthat we can get to the results that were intended.\n    Mr. Hodes. Thank you very much. Thank you, Mr. Chairman.\n    Mr. Clay. Thank you.\n    Let me ask Ms. Evans, does OMB require agencies to \nspecifically account for information security in agency IT \nacquisition plans through the Circular A-11 processes?\n    Ms. Evans. Yes, sir, they are supposed to. Mr. Chairman, \nthey are supposed to address those in the major business cases. \nThat is part of what is evaluated when they send what we call \nan exhibit 300. That is looked at in conjunction with the \nannual reports that the agencies do that we get from FISMA and \nfrom the IG's review, so we look at all of that information \nacross the board when we are analyzing what the agencies are \nasking for and how they are planning to spend their money.\n    Mr. Clay. And do you think that they are spending it in a \nway that protects taxpayers' investments and that is the best \nuse of that money, or is it patchwork throughout the \nGovernment?\n    Ms. Evans. I would say that the agencies are really \nattempting to do the best that they can. What we have the \nopportunity from my level is to look across the board, and so \nthings such as--and I am going to go back on a Government-wide \ncontract for data encryption. We can see that all agencies are \nrequesting that. We put out the policy that agencies should \nhave that. We are following up from things that are already \nthere.\n    What we can do from my office, in conjunction with the \nGeneral Services Administration, is give stronger guidance to \nthe agencies and say we will use and leverage all our buying \npower over here. So things like getting a Government-wide \ncontract, and then also extending it out to State and local \ngovernments, because they have the same issues that we do.\n    Looking at things like the Microsoft configuration, \nagencies are spending a lot on operations because you have to \npatch. So if we raise that and we built that into the \nprocurement, so now you can centrally manage patching and you \ncan distribute it faster, you can reduce some of the resources \nthat you are spending on these daily operations and move them \nmore into mission-specific types of activities like Mr. Hitch \nwas talking about earlier.\n    Mr. Clay. Yes. Mr. Hitch, did you have something to add?\n    Mr. Hitch. Well, I would just add, what Ms. Evans was \ntalking about was at the OMB level when you submit a 300 on a \nsystem. You have to kind of check off a box and basically say \nthat you are aware of the importance of IT security and you \nhave in your investment enough money to cover IT security when \nyou do this.\n    Down at the Department level, at DOJ, we have something \ncalled the DIRG, the departmental IT--or the U-Board. In that \nprocess you look at all of these projects as they are coming \nalong, right from the very inception when they are first \nbrought up and when requirements are done all the way through \nthe contracting process through implementation. We, likewise, \ncheck IT security as part of our overall review at each \ncheckpoint. We check it at the budget process checkpoint and \nthen we check it at the implementation checkpoint.\n    So through our processes I am trying to make sure that we \nare actually implementing IT security when we are actually \nbuilding the systems.\n    I would like to pick up on a point that was made earlier, \nhowever, and that is a lot of the answer has to be a balanced \napproach of dealing with the systems we have now and making \nreasonable and intelligent choices as to what we are going to \nfix about those systems and the vulnerabilities in those, and \nthen getting it earlier into the pipeline as we are building \nnew systems to make sure that we are preventing these same \nerrors from happening and us having to deal with them 5 and 10 \nyears from now, because it is actually more costly to fix these \nvulnerabilities in their existing systems than it is to take \nthe prudent steps necessary to prevent them from being in the \nsystems that we are developing.\n    So we have to go back in the system development pipeline as \nwe are developing the systems, and also with the products that \nwe are using in our systems that are coming from the private \nsector.\n    Mr. Clay. OK. Let me ask Mr. Wilshusen, in your recent \nreport on the information security controls at the FBI \nindicates that there are significant weaknesses throughout the \nagency's networks. Can you define what the major weaknesses \nare----\n    Mr. Wilshusen. Sure.\n    Mr. Clay [continuing]. And the necessary steps to correct \nthe problems?\n    Mr. Wilshusen. Right. We looked at a critical internal \nnetwork at the FBI and we found that the FBI did not \nconsistently configure their network servers and devices \nsecurely. We found that they did not identify and authenticate \nusers in an appropriate manner or enforce the principle of \nleast privilege when assigning authorizations to users. We also \nfound that they did not apply strong encryption or log, audit, \nand monitor activity over the network appropriately. And, \nfinally, we found that they did not patch their servers in a \ntimely manner.\n    All of this collectively increased the risk to insider \nvulnerability, so to the insider threat.\n    Mr. Clay. Do you believe that agency procurement activities \nare adequately incorporating security into their IT budgets? Is \nthere effective planning done by agencies during the front end \nof systems integration and development processes?\n    Mr. Wilshusen. Do you mean generally or in this specific \ninstance?\n    Mr. Clay. Generally.\n    Mr. Wilshusen. Generally I would say that is an area that \nneeds improvement in that agencies do need to focus on \nidentifying their security requirements up front, early in the \ndevelopment life cycle process, in order to assure that they \nare being addressed as the development process continues.\n    Mr. Clay. How about in this particular case with the FBI?\n    Mr. Wilshusen. In this particular case we found that these \nweaknesses I think were more of a matter of management \nattention or in terms of assuring that the controls were not \nimplemented in a timely manner. For example, we found that to \nnot have a complete inventory or current inventory of the \nnetwork devices and/or identifying they had some issues with \nsystem interconnectivity issues, as well. In many cases, their \ntesting and evaluation process was not very good because we \nidentified vulnerabilities that they did not know about or \nidentify during their test and evaluation processes on that \nnetwork.\n    Mr. Clay. OK. Thank you.\n    Mr. Hitch, anything to add on that one?\n    Mr. Hitch. Well, I would just add that I think when you \nactually do a specific review of any system you are going to \nfind some vulnerabilities, and hopefully we have identified \nthem and are at least aware of them and are about to have a \nplan to fix them or have at least made a temporary decision \nthat, based on the overall risk and the other compensating \ncontrols, that we are willing to live with that, at least until \nwe can get the money to fix that particular thing.\n    Mr. Clay. Let me ask you to describe for us your work on \nthe Federal CIO Council, specifically as it relates to cyber \nsecurity and privacy issues. Are there specific activities on \nthe way to address the widespread information security \nweaknesses at different agencies throughout the Government?\n    Mr. Hitch. Yes. I think the CIO Council is a very useful \ngroup in terms of the activity they pursue, particularly to IT \nsecurity. There is a Best Practices Committee within the \nFederal CIO Council that IT security is one of the items that \nis very high on their agenda. In fact, this year they are going \nto have a cyber security day, where all the agencies are going \nto participating in terms of coming in and, from a training \nstandpoint, as well as demonstration and best practices \nstandpoint, talking about finding out the best and latest in IT \nsecurity.\n    The Federal CIO Council, as I mentioned earlier, is also--\nand I am the representative on a committee to look into the \npipeline process, from where the software manufacturers are \nproducing software that we then use, all the way up through its \nimplementation and its disposal. After we are finished with it, \nwhat do we do with it to make sure that it doesn't create any \nresidual risk after we are finished with the systems?\n    So I think there are a number of initiatives that are \nhappening on the Federal CIO Council that are very much aimed \nat IT security.\n    Mr. Clay. Let me ask you to describe for us the flaws in \nyour agency's oversight which led to the failure of the virtual \nfile sharing program within the Trilogy modernization.\n    Mr. Hitch. OK. The virtual case file situation happened a \nnumber of years ago and, in fact, I would have to say, in \nconjunction with Ms. Evans, I think I was a part of the process \nthat led to the shutting down of that process, because we felt \nthat it was flawed. The management was flawed and the contracts \nthat were a key part of that process were flawed.\n    Mr. Clay. The vendors?\n    Mr. Hitch. The failure, yes.\n    Mr. Clay. Yes.\n    Mr. Hitch. And therefore we felt that continuing to work on \nthat was throwing good money after bad, and so we actually shut \nit down. Those flaws were many. It was contracted improperly. \nThe FBI did not have the appropriate management team in place \nand the skills that it kind of assumed through that contracting \nstrategy in order to manage that contract. They, by definition, \nassumed a systems integration role and a project management \nrole. So there were many issues with that, and that is why we \nshut it down. And when we are moving forward with a new \ngeneration, we have tried to address all of those issues.\n    Mr. Clay. Let me thank this entire panel for their \nresponses.\n    We are in the process of voting now on the floor. I will \ndismiss this panel, and then when we come back we will \ntemporarily recess while votes are occurring. When we come \nback, we will swear in panel two. Thank you all for being here \ntoday.\n    We are temporarily in recess.\n    [Recess.]\n    Mr. Clay. The joint hearing will come to order.\n    Let me thank Chairman Towns first, and I will now introduce \nour second panel of witnesses.\n    Mr. Phillip J. Bond serves as the president and chief \nexecutive officer of the Information Technology Association of \nAmerica, representing 325 leading software, Internet, \ntelecommunications, electronic commerce, and systems \nintegration companies. His previous Government service includes \nserving as an Under Secretary of the U.S. Department of \nCommerce and Chief of Staff to former Commerce Secretary Don \nEvans.\n    Welcome, Mr. Bond.\n    Mr. Paul Kurtz is a partner and COO of Good Harbor \nConsulting, LLC, and is a recognized cyber security and \nhomeland security expert. He previously served in senior \npositions on the White House's National Security and Homeland \nSecurity Councils under Presidents Clinton and Bush, and as the \nexecutive director of the Cyber Security Industry Alliance.\n    Welcome to the committee.\n    Mr. John Carlson serves as the executive director of BITS, \nwhere he focuses on information and security issues, business \ncontinuity, planning, and outsourcing risk issues for BITS \nfinancial institution members. Prior to joining BITS he worked \nfor 9 years at the Office of the Comptroller of the Currency in \na variety of roles, including Acting Director, Deputy Director, \nand Senior Advisor of the Bank Technology Division.\n    Thank you for being here, Mr. Carlson.\n    Mr. James Andrew Lewis directs the Technology and Public \nPolicy Program at the Johns Hopkins Center for Strategic and \nInternational Studies and is a senior fellow. Previously he was \na career diplomat who worked on a range of national security \nissues, including several bilateral agreements on security and \ntechnology.\n    Welcome to you also, Mr. Lewis.\n    Gentlemen, welcome to all. It is the policy of the \ncommittee on Oversight and Government Reform to swear in all \nwitnesses before they testify. Would all of you please stand \nand raise your right hands?\n    [Witnesses sworn.]\n    Mr. Clay. Let the record reflect that all of the witnesses \nanswered in the affirmative.\n    Each of you will have 5 minutes to make an opening \nstatement. Your complete written testimony will be included in \nthe hearing record. The yellow light indicates that it is time \nto sum up. The red light indicates your time has expired.\n    Mr. Bond, we will begin with you.\n\n    STATEMENTS OF PHIL BOND, PRESIDENT AND CEO, INFORMATION \n  TECHNOLOGY ASSOCIATION OF AMERICA; PAUL KURTZ, PARTNER AND \n CHIEF OPERATING OFFICER, GOOD HARBOR CONSULTING, LLC; JOHN W. \n  CARLSON, EXECUTIVE DIRECTOR, FINANCIAL SERVICES ROUNDTABLE/\n   BITS; AND JAMES ANDREW LEWIS, DIRECTOR AND SENIOR FELLOW, \nTECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR STRATEGIC AND \n                     INTERNATIONAL STUDIES\n\n                     STATEMENT OF PHIL BOND\n\n    Mr. Bond. Thank you, Chairman Clay, and thank you to the \nsubcommittees for this opportunity for ITAA to testify and talk \nabout FISMA, an effort we have been involved in from the \nbeginning, so commendations to the subcommittees.\n    In our view, FISMA brought unprecedented and much needed \nattention to the information security challenges of the Federal \nGovernment. Importantly, too, the legislation recognized that \nto solve that challenge we needed the very best of the private \nsector involved in coming up with the solution. In part, that \nis because the dynamic nature of today's rapidly evolving \nthreats demands innovation by the private sector and those who \nhold so much of the network in private hands. So as the threat \nevolves, so must FISMA implementation over time.\n    We have been pleased to see the general trend that agencies \nare improving in this regard, but agree with the earlier \nstatement from the gentleman from New Hampshire that it is not \ngood enough for Government work. That is exactly right.\n    We believe that measurement processes can be improved to \nyield better results, that we can emphasize preparedness versus \nafter-the-fact response; in effect, that FISMA could be raised \nto another level, or FISMA 2.0, if you will.\n    As providers of the information systems and security \nsolutions, we will continue to help to the maximum extent \npossible.\n    I would like to assure you that our members take very \nseriously their responsibilities in this regard in providing \neffective products and solutions to the Government. We see \nourselves as partners in the mission.\n    In turn, Government agencies should be encouraged to \nconsider the very latest innovations from the private sector in \nthis space. We have seen instances when compliance is used as \nan excuse, if you will, to discount the very latest in \ntechnology from the private sector.\n    Very quickly, software as a service is a good example of \nthis. Some of the assumptions in FISMA and the standards behind \nit cause those in the agencies who are looking at compliance to \nsay that is new, that architecture isn't assumed here, and so I \nwon't do that. We believe removing barriers to innovation is \none of six recommendations I would make very quickly to the \ncommittee: Removing barriers to innovation for improvements in \nFISMA; reaffirming the agency information security program \napproval process feature to make sure that the plans aren't \njust on paper, but there are processes and resources behind \nthem; third, to ensure that CIOs and chief information security \nofficers are positioned appropriately, with necessary authority \nbehind them. There may be some specific authorization and \nappropriation things we would want to talk about to make sure \nthat they are positioned, authorized, and resourced.\n    Fourth, to enhance Federal cyber risk management by \nrequiring at least an annual risk assessment by the agencies \nthat incorporates classified information and the latest from \nthe private sector. We know that there are some agencies who \nare not equipped to receive classified briefings, and yet they \nmust build risk assessments.\n    Fifth, harmonize and enhance the audit and oversight. This \nwas referenced earlier by the witnesses that the IGs in GAO \nneed to come at this in a harmonized way. We support that, and \nperhaps NIST would be in a position to do some training in that \nregard.\n    Sixth, to expand Federal cyber response capabilities and \nupdate FISMA, frankly, and its procedures to reflect the fact \nthat the Department of Homeland Security has been created in \nthe meantime, and its involvement with the US-CERT program.\n    So we commend the committee. We believe Federal information \nsecurity can be stronger, that we can have a FISMA 2.0, if you \nwill, if we refine and improve the metrics--Ms. Evans \nreferenced that a little bit, I think, focusing more on results \nthan mere compliance--and embracing the partnership with the \nprivate sector.\n    Thank you.\n    [The prepared statement of Mr. Bond follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9025.063\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.064\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.065\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.066\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.067\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.068\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.069\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.070\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.071\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.072\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.073\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.074\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.075\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.076\n    \n    Mr. Clay. Thank you so much for that testimony.\n    Mr. Kurtz, you may proceed.\n\n                    STATEMENT OF PAUL KURTZ\n\n    Mr. Kurtz. Thank you, Chairman Clay. It is a pleasure to be \nhere today. Thank you for the invitation.\n    I am here today to talk about how certain information and \nsecurity developments in the private sector will impact the \nfuture of FISMA and follow-on information security, guidance, \nand controls.\n    As a start, I would note FISMA is a good step, a good first \nstep, and a good foundation; however, current law and \nsupporting implementation guidance must evolve if it is to be \neffective in light of new technology and continually emerging \nthreats.\n    My testimony today is divided into two parts: strengths and \nweaknesses associated with FISMA, as well as discussing changes \nin the private sector and how those will influence the \nevolution of FISMA and other Federal IT security measures in \nthe coming year.\n    First of all, the state of FISMA. Although there are flaws \nin its implementation, I would argue that the overall impact of \nFISMA has been positive.\n    The strengths, transparencies: agencies must now show how \ntheir overall information security strategy and budget fit into \nthe general mission and goals of an agency.\n    Second, accountability: agencies must report on their \nprogress toward improving information security by at least \ncategorizing data based on risk and certifying systems. They \nalso must test security controls and contingency plans and they \nmust assign risk impact levels. Of course, now we have \nstandards that have been put together by NIST, like 800-53, \nwhich at least establish a baseline.\n    However, there are weaknesses. One, FISMA and supporting \nguidance do not provide an enterprise-wide assessment of risk. \nWhat is the overall risk associated with a given agent's IT \nsecurity system? We have misleading scores. The scores measure \nnot only whether agencies pursue compliance processes, but not \nwhether IT systems are actually secure. In other words, there \nis perhaps a false sense of security associated with the \nscores.\n    A lack of consequences for non-compliance: FISMA has no \nreal enforcement capability outside of OMB being able to \nthreaten to move money around.\n    The inability to adapt to emerging technologies: in other \nwords, we have new technologies that Mr. Bond has talked about \nthat FISMA can't handle so well.\n    Many of these concerns I would argue can be addressed by \nimproving FISMA implementation guidance and do not necessarily \nrequire a change in the law; however, both committees' \noversight and looking for reporting would be extremely helpful.\n    There have been several developments in the private sector \nwhich I think should be highlighted here today.\n    First of all, the private sector is empowering CIOs and \nCISOs. Mr. Bond talked about that. That is a very important \ndevelopment. But there is also the changing nature of IT. This \nis an incredibly important issue. We have a shifting paradigm \nfrom a client server environment where all of the applications \nare loaded on your computer, to one where we are building or \nusing software and data that is stored offsite via the \nInternet. This is sometimes referred to as Web 2.0.\n    Currently, FISMA guidance is skewed toward the client \nserver environment, which means that some of the great \nefficiencies that are available through such things as software \nas a service are being passed by by the Federal Government \nbecause of perceived issues associated with FISMA compliance. \nGuidance needs to be updated sooner rather than later, as Mr. \nBond has talked about, to ensure that agencies can take \nadvantage of software as a service.\n    Right now I can name several cases where agencies are, if \nyou will, in a holding pattern because they don't think \nsoftware as a service is going to work.\n    Finally, I want to highlight the need to evolve to a more \ncommon international information security standard. FISMA is, \nif you will, the Government information security standard, and \nit is good, it is solid; but meanwhile the private sector is \nevolving toward a new standard, ISO 27001, which sounds a \nlittle technical but agencies and firms around the world are \nmoving to this new standard. It would be good if FISMA could at \nleast have some level of agreement with what is happening in \nthe 27001 world. In other words, if I am compliant with 27001, \nthis new revised standard, I can be deemed in compliance with \nFISMA. This would bring great efficiency to Federal agencies \nand reduce the cost for taxpayers, as well.\n    I will conclude my remarks there.\n    [The prepared statement of Mr. Kurtz follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9025.077\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.078\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.079\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.080\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.081\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.082\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.083\n    \n    Mr. Clay. Thank you so much, Mr. Kurtz, for those \nsuggestions.\n    Mr. Carlson, you may proceed.\n\n                  STATEMENT OF JOHN W. CARLSON\n\n    Mr. Carlson. Great. Thank you. Thank you for the \nopportunity to testify on information security practices within \nthe financial services industry and how they may be of use to \nthe Federal agencies in meeting the goals of FISMA.\n    I am John Carlson. I am the executive director of BITS. We \nare a division of the Financial Services Roundtable focusing on \ntechnology and operations issues to promote best practices in a \nstrong national financial infrastructure.\n    I would like to briefly highlight the risk and threat \nenvironment faced by financial institutions today and our \nefforts, which could be applied to strengthen the Federal \nGovernment's information security programs.\n    The cyber security threat environment is constantly \nevolving, and some risks are increasing. Phishing, cyber \nsquatting, viruses, worms, and other forms of attack are \nendemic. Hackers are closing the window between the discovery \nof a software flaw and the exploitation of that flaw. Criminals \nare using social engineering to trick consumers into providing \npersonal information that can facilitate fraud and identity \ntheft. Highly publicized breaches, both public and private \nsector, end the resulting loss of the theft of personally \nidentifiable information do undermine consumer confidence, and \nthat leads to concern about identity theft, which remains high.\n    In response to these threats, our members companies are \nconstantly thinking about these risks and have developed \nnumerous guides and other forms of collaboration to mitigate \nthem. We have developed tools to secure better data, to respond \nmore effectively to data breaches. For example, we developed a \nguide in conjunction with the American Bankers Association to \nhelp financial institutions respond to data breaches, which is \nin harmony, by the way, with the Graham-Leach-Bliley Act's \ninformation security safeguards rule, which provides a very \nhelpful foundation for the financial services industry.\n    In addition, we work with our member companies to respond \nto high-profile breaches, such as the TJX Company's breach \nseveral months ago.\n    We have engaged also major software companies by outlining \nour sector's high security needs, even providing a lab to test \nsoftware products against baseline security requirements and \ndeveloping a practitioner's guide for patching software for \ncomplex information technology environments, in many cases very \nsimilar to Government in terms of the complexity and legacy \nsystems.\n    We have also developed a number of consumer education \nmaterials that help consumers secure their computers and avoid \nthe lure of fraudsters.\n    We have also looked at successful factors for security and \nawareness programs which financial institutions are required to \nprovide to their employees, like Government agencies, as well.\n    Efforts to make e-mail more secure and reliable could be \nhelpful in reducing the amount of spam and malicious software \nthat is transmitted through e-mail. We released a tool kit \nseveral months ago that recommends financial institutions and \nothers adopt specific protocols designed to improve e-mail \nsecurity. We think if Government adopted those we would go a \nlong way in addressing some of the e-mail-related problems we \nare dealing with today.\n    Our work in overseeing third-party surveillance providers \ncould be helpful to Government agencies in procuring services \nand overseeing vendors. For example, the Financial Institutions \nShared Assessments Program, which we launched in 2006, \nstreamlines the service provider risk assessment process while \nraising the bar on security. We currently have 50 financial \ninstitutions, service providers, and assessment firms that are \ninvolved in this program.\n    We are also looking presently at the issue of wireless \ntechnologies and some of the security risks that may result \nfrom those technologies, and assuring that we are addressing \nthose risks adequately.\n    We have also outlined a number of research and development \nfunding priorities that we think, if the Government adopted, \nwould be very helpful for our sector. These would include areas \nsuch as better Internet protocols, better enrollment and \nidentity credential management, better understanding of insider \nfraud and threats, and better ways of measuring the return on \ninvestment of security technology.\n    And perhaps most important to Congress is our work to \nassist victims of identity theft while at the same time helping \nlaw enforcement agencies investigate and prosecute identity \ntheft crimes. The Identity Theft Assistance Center, another \ndivision of the Roundtable which BITS helped to establish \nseveral years ago, provides a free victim assistance service to \ncustomers of our member companies. Since it opened in 2004, it \nhas helped 16,000 consumers restore their financial identity. \nAlso, data supplied by ITAC with the consent of consumers is \nhelping catch the individuals who commit these crimes.\n    The financial service sector was the first sector to \nestablish an Information Sharing and Analysis Center in the \nlate 1990's, which continues to be a model for successful \ninformation sharing on cyber and physical threats. In addition, \nour sector established a Coordinating Council shortly after 9/\n11 to provide a means of collaborating across the sector, with \nother sectors, and with the Departments of Homeland Security, \nTreasury Department, and others.\n    Before I conclude, I want to remind the committee that \nfinancial institutions are heavily regulated and constantly \nsupervised. Our financial regulators have issued numerous \nregulations and supervisory guidance on information security, \nwith the Graham-Leach-Bliley safeguards rule as an important \nfoundation. Efforts by regulatory agencies have had a positive \nimpact on improving information security through a risk-based \napproach, which is very important.\n    Government can help the industry and society in a number of \nways in dealing with the threats we are dealing with today. A \nnumber that I would like to point out would be: implementing a \nSocial Security verification program to reduce fraud and \nidentity theft; issuing more secure Government credentials; and \npermitting financial institutions to transmit data to \nGovernment agencies like the IRS in encrypted format.\n    In closing, secured information is an ongoing process that \nrequires constant vigilance, ongoing enhancements to address \nnew and emerging threats, in collaboration with partners. I \nbelieve our efforts can be helpful to Government agencies in \ncomplying with the goals of FISMA.\n    Thank you for the opportunity.\n    [The prepared statement of Mr. Carlson follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9025.084\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.085\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.086\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.087\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.088\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.089\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.090\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.091\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.092\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.093\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.094\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.095\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.096\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.097\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.098\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.099\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.100\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.101\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.102\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.103\n    \n    Mr. Clay. Thank you so much, Mr. Carlson.\n    Mr. Lewis, please proceed.\n\n                STATEMENT OF JAMES ANDREW LEWIS\n\n    Mr. Lewis. Thank you, Mr. Chairman. Thank you for this \nopportunity to testify.\n    The committee is aware of the damage done to U.S. interests \nin national security by the successful penetrations of Federal \nnetworks we have seen in the last year or so. Much valuable \ninformation has been lost. We don't want to overstate the \nrisks, but at the same time we don't want to ignore the damage.\n    We should note that an agency's FISMA score is largely \nirrelevant to telling how well it is able to withstand these \nattacks.\n    The growing sophistication of software tools available for \ncyber crime and espionage increases the risk to Federal \nsystems. Recent events in Estonia, which is a small country \nattacked by unknown hackers, shows how we face probably a \ngreater threat than we did when FISMA was enacted.\n    We can draw some lessons from the Estonian experience. They \nresponded calmly and rapidly to the attacks, but they are a \nsmall nation. The United States is larger and operates many \nmore networks. That means in some ways we are a more difficult \ntarget, but at the same time we may not be as efficient in our \nresponse.\n    The question of efficiency goes to the heart of FISMA. The \nU.S. Government operates hundreds of thousands of computers. We \ntalk about an enterprise architecture, which means a \ncorporation under a powerful CEO where all the business units \nare unified in their efforts, but I don't think this is \npossible for the Government. No single agency has control of \nthe Federal networks.\n    Congress passed FISMA to bolster network security within \nthe Federal Government. FISMA provides a framework for security \nand mandates yearly audits. The intent behind FISMA was good, \nbut an agency can get good marks in FISMA and still be \nvulnerable. This is despite much good work in recent years to \nimprove security.\n    We need to ask whether FISMA is still relevant. One way to \nanswer this question is to look at the process. FISMA involves \nthe production of reports. The reports certify whether certain \nstandards are being met. These standards, if followed, may \nimprove security or they may not. FISMA is a direct measurement \nof compliance with processes and an indirect measurement of \nsecurity. If we asked agencies whether or not their networks \nwere secure, as measured by penetrations or data loss rather \nthan by whether they follow certain standards, their answers \nwould produce more accurate results.\n    Another way to look at FISMA is to ask how the technology \nhas changed. The most important change, as you heard from Mr. \nKurtz, lies in how the Internet is used. There are new Web \napplications. Federal agencies use some of these, such as \nwikis. Other applications, such as Web-based services, are not \nyet widely used, but because of their cost advantages they will \nbe. Any re-examination of FISMA should update the act to allow \nfor the evolution of technology.\n    In my view, FISMA needs an overhaul. One way to do this \nwould be to replace FISMA's emphasis on certification, with \nperformance-based measures that focus on vulnerability to \nattack. Revising FISMA to focus on performance and to ask how \nmany times a system was probed or penetrated, what the \nvulnerabilities were that allowed for a successful attack, and \nwhat steps were taken to rectify these vulnerabilities might be \nthe single most important change that Congress could make.\n    Another way to improve FISMA would be to link it to \nmandatory consequences. A successful attack or a low score \nshould trigger a requirement for agencies to reprioritize and \nreallocate funding for information security.\n    By itself, even a FISMA that worked perfectly would be \ninsufficient to secure Federal systems. A revised FISMA has to \nbe part of a larger strategy. The elements of this strategy \nshould include: increased accountability and responsiveness by \nagency leadership; adequate funding; use of the acquisitions \nprocess; and increased emphasis on protecting information \nrather than networks.\n    Using the Federal acquisitions process to encourage \nsuppliers to make IT products more secure could be very \nbeneficial. For example, the Government could give preference \nto commercial software made with industry best practices for \nsecurity.\n    I want to conclude by saying although there has been \nprogress in recent years, better Federal organization would \nalso help improve information security. We are better off than \nwe were 10 years ago, but not all agencies have seen equal \nimprovement. Despite FISMA, cyber security remains a low \npriority for many agencies. Much remains to be done.\n    Let me tell you an encouraging story, though, to finish up, \nMr. Chairman. We faced a similar challenge in the 1980's when \nthe United States discovered that its communications over \ntelephone networks were not secure. The United States began a \nprogram then to secure sensitive voice communications. Within a \nfew years this program, which was implemented by the National \nSecurity Agency, had succeeded in securing communications. \nThere are major differences, of course, between telephone \nnetworks and the Internet, but the lesson of identifying a \nproblem, assigning its resolution to a competent agency, and \nmoving aggressively with adequate funding to fix it offers a \nmodel for how to improve information security.\n    My view is that, with better organization and strategies, \nwe can make Federal information systems more secure, and an \nimproved FISMA can play an important part of this effort.\n    Thank you.\n    [The prepared statement of Mr. Lewis follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T9025.104\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.105\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.106\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.107\n    \n    [GRAPHIC] [TIFF OMITTED] T9025.108\n    \n    Mr. Clay. Thank you, Mr. Lewis, for your testimony.\n    Chairman Towns has rejoined us, and I will go to Chairman \nTowns and recognize him for questions.\n    Mr. Towns.\n    Mr. Towns. Thank you very much. I really appreciate this \nhearing.\n    One of the biggest weaknesses in security for the Federal \nGovernment has been the use of portable devices--laptops, \ncomputers, disks, USB drives, etc.--where the data goes out the \ndoor with the user, and the only protection is hoping that the \nuser doesn't lose the device or have it stolen. In other words, \nbasically it has been a human problem more than a technical \nproblem.\n    How does industry deal with that, Mr. Bond?\n    Mr. Bond. I will take a first shot, and I am sure the \nfinancial services industry would have some, as well, Mr. \nChairman. Thank you for the question.\n    I think that one difference between the private sector and \npublic sector in this regard is there is a deeper level of \ncontinuous assessment of where the network is extending, to \nwhich devices, a greater level of authentication within the \nleading companies and best practices to know which devices are \nconnecting to their network, whom they belong to, are they \nauthenticated.\n    The Federal Government is beginning to move down that path \nwith a number of efforts like HSPD-12 and others to be able to \nauthenticate who is entering a building, much less who is using \na PC, a thumb drive, or whatever. So it is a long road. I think \nthere is much to learn from the private sector in this regard, \nand probably much to learn from the financial services industry \nto get to the level of continuous assessment and confidence \nthat you need in such a large enterprise and such a large \nnetwork.\n    Mr. Carlson. I would also add to that. The nomenclature of \ninformation security, you always talk about it in terms of \npeople, process, and technology, so all three of them are \nequally important in terms of how you secure information.\n    Certainly in the financial services industry we have been a \ntarget of fraudsters to go after information, to hack into \nsystems for financial gain. Our industry has really responded \nvery aggressively over the past 10 years to tighten systems, to \nimprove authentication, to encrypt more information, to mask \ndata, to restrict the use of Social Security numbers in the \nverification process. So collectively those efforts are making \ngood progress in terms of making it more difficult to access \nthe information.\n    There is also the human component of it, and that requires \na lot of education on the part of employees, contractors, and \nconsumers that are using the devices to access, say, their \nbank, or users that are accessing Government facilities, to \nmake sure that they are doing the right thing in securing their \nportion of the chain.\n    Mr. Lewis. If I could just add, Mr. Chairman, I do think \nthis is, in some ways, a problem that our technological fixes \nfor, this should not be a big deal. If you have better \nauthentication, if you have better encryption, losing a laptop \nshould not mean the loss of valuable information. That is sort \nof the normal practice in the high-tech industry, and we need \nto see the Government move more rapidly to adopt those \npractices.\n    Mr. Kurtz. If I may add to what everybody has offered, I \nthink, first and foremost, we do not want to have Federal \nemployees and contractors tethered to their desks and not be \nable to be mobile with their devices, so laptops, the ability \nof Federal employees to be mobile and do work from all places \nis really important. And to the technical solutions, finally we \nhave guidance from OMB as of last summer to encrypt it. We need \nto encrypt it at rest and in transit, and we should move down \nthat road far more quickly than we have in the past. We also \nmust increase authentication.\n    As Mr. Bond said, we have HSPD-12, a directive to use \ngreater authentication across Federal agencies and with \ncontractors. Both of those areas should receive great priority.\n    And, finally, unlike the private sector, there are not \nnecessarily consequences for using a laptop. In the case of VA, \nthe individual was ultimately dismissed, but a lot of laptops \nare lost and there really are no consequences for those who \nactually use them. In the private sector, obviously there could \nbe consequences.\n    Mr. Towns. Thank you very much.\n    Let me ask, if we were to change FISMA, if we were to \nstrengthen, what is the one thing that we need to do? I would \nlike to go down the line on it. There are two things that you \nmust say, feel free to do so, but how we might be able to \nstrengthen it.\n    Mr. Bond. I offered six when you weren't here, so I will \npick my favorite.\n    Mr. Towns. I am sorry.\n    Mr. Bond. No, I appreciate your leadership on this, \nChairman Towns, and appreciate your having the hearing.\n    I guess if I had to pick one of those, though, I think I \nwould say an annual risk assessment by the agencies that \nincluded classified information and input from the latest and \ngreatest in the private sector. We know there are some agencies \nwho either don't have the personnel, the communication \nfacilities, or whatever, to receive even classified briefings \nto go into the risk assessment, and so we must be missing it. \nThat is what I would say, No. 1.\n    Mr. Towns. OK. Thank you.\n    Mr. Kurtz. Most likely, close to what Mr. Lewis talked \nabout, and that would be a requirement for annual vulnerability \nassessment, a real red team, against each Federal agency, where \nwe are also getting reported on the number of attempted attacks \nand penetrations against an agency, as well as what they are \ndoing to mitigate those problems. It really isn't a strong \nrequirement to do that today.\n    Mr. Towns. Yes.\n    Mr. Carlson.\n    Mr. Carlson. Yes. I would add I think it is important to \nmake sure that the program the Government puts in place, \nwhether it is at the agency level or across the board, has at \nits heart collaboration, that it supports it, that it \nencourages it within the organization, but also across the \nGovernment and with the private sector.\n    I think there also needs to be a program that is very much \nrisk-based and forward-focused. We can't be focused on solving \nyesterday's problems at the expense of not focusing on \ntomorrow's problems. And this space is moving so rapidly. \nTechnology moves forward quickly. There is a tremendous amount \nof competition, and I think the best thing the Government can \ndo can also be a driver for responsible practices by using its \nvast procurement power to purchase products that have high \nsecurity standards, that are tested, that are going to meet the \nneeds of the Government and the people that the Government is \nentrusted to protect. So using that procurement power could be \nvery, very forceful in terms of driving the industry forward.\n    Mr. Lewis. Good question. Thank you. I would say, following \non Mr. Kurtz, performance base scores tied to mandatory action. \nTest the system. Don't tell me you complied with some standard. \nTest the system, and if you fail you are required to do \nsomething to fix that. That is what we need to do.\n    Mr. Towns. Thank you very much. I yield back, Mr. Chairman.\n    Mr. Clay. Thank you, Mr. Chairman.\n    Mr. Bond, a critical element of FISMA is for agencies to \ndevelop a risk assessment of their systems in order to develop \nor integrate effective security policies and applications for \nthem. With this in mind, please characterize the vendors' roles \nand responsibilities in developing and implementing secure \nnetworks and applications throughout an agency. And isn't the \nmitigation of risk a shared duty or responsibility between both \nagency personnel and the vendor community?\n    That is two questions.\n    Mr. Bond. Yes. Thank you, and let me try to get there on \nboth of them.\n    I think absolutely that the leading contracting companies \nin this space feel that they share the mission, that this is a \ncritical mission for the country, of which they are a part, and \nthat they want to make sure the Federal Government succeeds as \nmuch as humanly possible. So I think it is very much a \npartnership.\n    It is also a partnership because so much of the network--\nand we heard testimony about you are only as good as your \nweakest link--so much of the network is in private sector \nhands, so this is de facto a private/public partnership.\n    I think, in terms of the responsibilities, there is some \nwork that needs to be done there to clarify that, even under \nFISMA, which assigned some responsibility to the head of the \nagency. How that plays out then at the contractor level, who \nhas which responsibilities, is sometimes not as clear as it \nshould be in the contracted relationships, so I think there is \nsome work to be done there.\n    Mr. Clay. Thank you for that.\n    Mr. Kurtz, what remedies would you offer to NIST and OMB \nfor providing stronger or more timely guidance? How can new \nguidance or security controls be added in a real time \nenvironment?\n    Mr. Kurtz. Well, first of all I would, in large part, \ncommend the work of OMB and NIST. I think NIST is \ninternationally recognized for the work that it does, but at \nthe same time the standards process is slow and methodical. So \nin that case I think OMB has a special responsibility to be, if \nyou will, more agile and more responsive.\n    I think Karen Evans has done an excellent job, but I also \nthink we kind of learn the hard way. If we look at the \ndirective to encrypt, the directive to authenticate, it was \nonly after we had real problems.\n    So I think annual guidance update that OMB carries out that \nKaren talked about earlier today is incredibly important, and \nthat we ought to be used to continue to make sure the \nimplementation of FISMA, the execution of FISMA is strong and \nto the point.\n    The classic example I would give right now is the migration \nto Web-based applications, software as a service. Right now the \nGovernment is not in the right place on that. They are way \nbehind the private sector. There is a huge migration underway, \nand FISMA and implementation of FISMA is not prepared for this \nmigration. There are huge losses in efficiency and value to the \nFederal Government that are going on right now because we are \nnot agile enough in updating that guidance so agencies can take \nadvantage of it.\n    Mr. Carlson. Pardon my lack of knowledge on that, but you \nand other witnesses have mentioned software as a----\n    Mr. Kurtz. Software as a service.\n    Mr. Clay. As a service. Explain what that is.\n    Mr. Kurtz. I will take a shot, and then I will turn to \nothers on the panel.\n    Essentially, we lived in a world where you had software on \nyour computers, applications that sat on your computers that \nyou would pull up in order to create a Word document, Excel \nspreadsheet, or whatever it would be. Now we have software \napplications and data that is being stored offsite. So, just \nlike you do online banking, it is much the same, where you are \ntapping in to software and data that is held elsewhere.\n    The real value of, if you will, service on demand via \nsubscription is that the Federal Government is no longer \nassuming those enormous costs of maintenance and upgrade. It \nis, if you will, the provider's job to take care of that. It is \nthe provider's job to maintain the software, to upgrade it, and \nit is a fairly seamless process. Great efficiencies could be \nmade available to the Federal Government if they were to pursue \nthat.\n    Phil, you may have a much better description than I.\n    Mr. Clay. Mr. Bond, do you have anything to add? Did he \npretty much describe it?\n    Mr. Bond. Yes. I think you have probably pretty well got \nthat. I think we, on this side, are sometimes guilty of geek \nspeak, but it looks like you got it.\n    Mr. Clay. I think I got it. Thank you for that.\n    Mr. Lewis. Can I just add one thing on that, Mr. Chairman?\n    Mr. Clay. Mr. Lewis, please, if you have something to add.\n    Mr. Lewis. We actually use it at my work. We do our time \nand attendance and our payroll on it. We shifted. People were \nworried about security at first, and we have been doing it now \nfor 4 or 5 years without a problem, so think about that. \nInstead of doing a time card and filling it in here we do it on \nthe Internet. It goes to some company. I don't remember their \nname. They do it all for us.\n    What we see in the press like the Wall Street Journal is \nthis can bring savings of 20, 25, 30 percent, so it is \nsignificant.\n    Mr. Clay. And Mr. Lewis, the company secures that data, \nthat information for you?\n    Mr. Lewis. Very much so, sir. We looked into it.\n    Mr. Clay. Mr. Bond, do you have something to add?\n    Mr. Bond. Yes. I would just add very quickly they secure \nthe data as well as the transmission of it to make sure that it \ncomes to you safely. While I agree with Mr. Kurtz that the \nFederal Government is behind on this and certainly NIST is well \npositioned to be between the private sector and Government to \nhelp understand how to process information in the future, I do \nwant to note for the record the Department of State, Treasury, \na number of State governments, county governments have deployed \nsoftware as a service model, so it is being done, but I can't \neven say we have scratched the surface yet.\n    Mr. Clay. But we ought to urge our Government to take a \nlook at that. Thank you.\n    Mr. Carlson, while FISMA offers us a good baseline of \ninformation to work with, there are significant concerns that \nwe are not gathering better performance data from our networks \nin a real time environment. Has BITS or other industry efforts \nsought to develop better metrics or data gathering methods for \nits systems?\n    Mr. Kurtz. We have a lot of discussion among experts within \nour member companies about how to manage information security \nrelated risks, so through those discussions we kind of coalesce \naround a number of different approaches that the industry finds \nuseful and effective. Many of those have been published in some \nof the guides that we have put out, either as metrics tools or \nefforts to identify where there may be gaps in the program that \nan individual institution has in place.\n    I would also add that our environment is a little bit \ndifferent in that we also have regulators that constantly come \nin and do audits of financial institutions and determine \nwhether or not those controls are adequate to meet the \ninformation security needs that the institution is dealing \nwith. So there is almost like a double layer approach. \nInstitutions do the risk analysis, develop the metrics, come up \nwith the solutions that meet their risk-based environment, and \nthen regulators come in and do an evaluation to see whether or \nnot they are adequate.\n    Mr. Clay. Thank you for that response.\n    Mr. Lewis, we have all been reading about the recent cyber \nattacks in Estonia, which are primarily distributed denial of \nservice attacks. There remains some uncertainty regarding the \nultimate source of the attacks, which were delivered using \nbotnets. Could you offer us some comment on, one, the ability \nof our agency systems to handle such an attack, and, two, the \neffectiveness of FISMA compliance as a means to develop some \nlevel of assurance that such attacks could be withstood?\n    Mr. Lewis. Certainly, Mr. Chairman.\n    Unfortunately, I think if you were to look at the Federal \nGovernment you would probably find that the ability of agencies \nto respond to this kind of attack would be very uneven. Some \ncould do quite well. Others, as we known from recent events, \nwould probably have real problems.\n    Now, let me note that in Estonia, there were these attacks. \nThey were massive. But the government IT people there were able \nto bring most services back online within a few days. So it was \ndisruptive, but it didn't destroy Estonia or lead it to \ncollapse.\n    We would also not face collapse or some terrible outcome, \nbut there would be disruption. We have seen that now. There are \nsome agencies that were attacked a few months ago and are still \nhaving difficulty accessing the Internet, such as, I believe, \nthe Department of Commerce.\n    Where does FISMA fit into this? Right now it may not be as \nuseful as we might like. FISMA measures how well people conduct \ncertain certifications, how well they construct their systems, \nhow well they document what they have done. But I am not sure \nhow useful it is in measuring their ability to actually deal \nwith an attack, so this would be an area where FISMA, although \nit is very beneficial, it focuses attention, it is an area \nwhere we could improve it.\n    Mr. Clay. Thank you for that response.\n    Mr. Carlson, one of the programs BITS has established is \nthe BITS product certification program to test IT products \nagainst security criteria developed by the financial services \nsector. Please outline for us how this program works and \nwhether there are components that could be adopted or \nrecognized by the Federal Government for its systems.\n    Mr. Carlson. Yes. The program was established about 8 years \nago as an effort to try to provide a forum to signal to the \nsoftware industry what are baseline security needs for the \nfinancial services industry. It evolved over time into a \nprogram in which the industry would lay out these baseline \nsecurity requirements in a number of different areas and then \nprovide a means in which a software company could come in and \ntest, pass or fail, whether or not it met these baseline \nsecurity requirements.\n    We then made some modifications to it to be compatible with \na common criteria program, which is a program that the NSA and \nNIST run, so that a company could go through both the common \ncriteria program, the BITS product certification program.\n    So there are many elements of it, and we have shared our \nwork with DHS and others as a way to try to encourage the \nGovernment to apply this type of model, but to make sure the \nmodel is done in such a way that it is not too expensive, too \nlabor intensive, and taking too long to complete. That has \ncertainly been some of the complaints with the common criteria \nprogram, is that it does take tremendous amounts of time.\n    So there is room for a program. I don't think we have hit \nthe ball squarely in the right place in terms of our program, \nbut we have certainly set out a program that is a beginning \npoint that the Government could look at in trying to decide \nwhat is a program that is going to meet its needs in laying out \nthe security needs for the Government.\n    Mr. Clay. Do you think the Government has taken the \nsecurity issue as seriously as they should have at this point?\n    Mr. Carlson. I think there has been a lot of talk in terms \nof the importance of security. I think that it has been slow, \nmuch slower certainly than I would have anticipated in terms of \nhow quickly the Government has jumped on to some of these \nideas, certainly that we have proposed.\n    I would note this committee had sponsored an effort several \nyears ago, through Congressman Adam Putnam, to kind of bring \ntogether Government, private sector, and really to bring \ntogether the user community, which is the community I am most \nfamiliar with, and the producer community or the IT community, \nto try to bridge some of those gaps.\n    I think we made a lot of progress. Paul Kurtz played a very \nimportant role in that effort, as well. But the Government was \nvery slow in terms of picking up on these recommendations and \nreally moving them forward.\n    I think they have made progress, particularly in the last \nyear, and I noted in my testimony a number of efforts that have \nbeen very positive in terms of Greg Garcia being placed as the \nAssistant Secretary at DHS, the work that the administration \ndid on the Identity Theft Task Force and some of the \nrecommendations that are in there, the work that Karen Evans \nand others have done at OMB in terms of strengthening \nGovernment security programs. So those are all steps in the \nright direction. But my personal opinion is that it has been \nmuch slower than I certainly would have anticipated a few years \nago.\n    Mr. Clay. Thank you for that response.\n    Mr. Kurtz, in many of our sensitive or classified programs \nwe use software and applications that have been certified under \nthe National Information Assurance Partnership process. While \nnot perfect, NIAP provides a greater level of software and \napplication assurance for the program. If reducing the number \nof vulnerabilities in our system is a primary goal, shouldn't \nwe utilize similar certification processes for all agency IT \nsystem needs? And others can take a stab at it.\n    Mr. Kurtz. I would start with maybe a challenge to the \npremise that NIAP is strong. I think there are enormous issues \nwith the National Information Assurance Partnership. There are \nterrible inefficiencies, terrible processes associated with \nthat vendors must struggle to go through, and I don't think \nreally at the end of the day agencies get an appreciable \nincrease in security.\n    That is not to say that the process does not yield some \nimproved security on the part of the software or hardware that \ngoes through the process, but I would not use it as a baseline.\n    I think there are two points I would try to make. One is I \nthink NIAP needs to be revisited. I think it needs a wholesale \nreview. I know DHS and the Department of Defense engaged in a \nstudy of it 3 years ago. I don't think the report has ever seen \nthe light of day. I think Congress should ask for it. I think \nthey should push to make sure that there is a full-scale review \nof it. And I think we should take a broader view of what is the \nrole of product or software certification in a networked world. \nIt might be, in fact, not as much value as we might hope in \nthat product certification. It is almost a topic for a separate \nhearing.\n    You probably asked the wrong guy, because I am going off on \nit.\n    Mr. Clay. Thank you.\n    Does someone else want to take a stab at it?\n    Mr. Bond. If I could just real quickly, to followup. And \nmaybe there will be another hearing. But I think certification \nand accreditation was an important baseline, especially at the \ntime FISMA was passed. But that is a slower boat, if you will, \nthan the threat, and so you could theoretically be in some \nagency. Veterans have pointed out you can be 100 percent \ncompliant in terms of your C&A score and still be very \nvulnerable.\n    So I think Mr. Lewis testified earlier about really keeping \nour eye on what is the vulnerability. That is more important \nthan your C&A score.\n    Mr. Clay. I appreciate that.\n    An open question for the entire panel. What would be the \npotential risks or rewards to the Federal Government if it \nrequired its vendors to provide more detailed information \nconcerning the direct evaluation of testing of software code? \nCouldn't we simply choose the best products if we had this \ninformation?\n    We can start with Mr. Bond.\n    Mr. Bond. If I can, thank you very much. I think that, \nagain, this is really a question largely about how rapidly the \nthreat evolves. I think it is fair to say that the very best, \nmost assured products could be vulnerable to an unforeseen \nthreat, and the threat evolves rapidly, so assurance of \nproducts and sharing as much as you can without giving away \nsome proprietary secret of your product, because it is a \ncompetitive market, and I think that is important. But again, \nyou don't want to look in the rear-view mirror as the \nGovernment. The very best product today may be vulnerable to \nsome new threat. So I don't want the committee to think that by \nsimply saying make sure that you are as up to date as anybody \nin the marketplace today, because that may not matter tomorrow.\n    Mr. Clay. It is like a moving target.\n    Mr. Bond. It is.\n    Mr. Clay. Thank you.\n    Mr. Kurtz. Chairman Clay, your question may be focused on \nsource code, the actual software source code?\n    Mr. Clay. Yes.\n    Mr. Kurtz. It is proper to take a look at this issue. I \nthink the good news in this space is just in the past 3 or 4 \nyears a couple of things have happened. One is industry as a \nwhole, the software industry, is getting far more serious about \ndeveloping good standards of coding, and they are, in fact, \nseeking to work together to build better standards.\n    But I think also, equally as important, as typical of the \nprivate sector and the free market, enterprises are realizing \nan opportunity, and they have several new companies out there \nthat recognize the need for code review that can actually \nanalyze code, look for vulnerabilities, and propose mitigation. \nThere are probably five or six that I can name right off the \ntop of my head.\n    The bottom line of this is I want to think a little bit \nabout mandating some sort of code meeting some spec, some \ncertain level, given the nature of the threats that Mr. Bond \nhas talked about, but I do think it is worthwhile thinking \nabout encouraging the private sector to engage in source code \nreview of some type to use those tools.\n    I know in the banking and finance industry, because they \nhave a lot of proprietary code, they are using these tools. \nOthers are starting to use these tools. I think we are learning \nmore with each passing day. It is a maturing industry.\n    There is a move underway in Europe to potentially getting \nto regulating source code. Incredibly bad idea. Incredibly bad \nidea that would stymie innovation, stymie research, and good \nmoney going into developing new tools for more powerful and \nmore secure code.\n    Mr. Clay. Thank you for your opinion.\n    Mr. Carlson.\n    Mr. Carlson. I would add I think the question you really \nwant to be asking is what are the incentives that the \nGovernment should put in place to encourage companies to \nproduce the best quality products, in terms of how they are \nused. As Paul mentioned, my association had done a great deal \nof work several years ago to put a lot of pressure on the major \nsoftware companies to make security of greater importance in \nthe development of the products and services. And the industry \nhas certainly responded a great deal and security has become \nmuch more of a competitive issue than it was several years ago, \nand that is a very positive step.\n    But I think you ought to be careful in terms of going too \ndeep in terms of the specific metrics that you are looking for, \nbut really look for ways to create the incentives that are \ngoing to be the drivers for innovation and for companies to \nreally develop these products and services, and then also to \nfind ways that the companies can demonstrate to Government and \nto private industry how their products are secure, what are the \nfactors that they will use in order to determine whether those \nproducts are secure. That would help to secure a certain aspect \nof the information security equation. It doesn't solve all the \nproblems. It is not a simple solution, but it certainly is a \npositive step.\n    Mr. Clay. Thank you, Mr. Carlson, for reframing the \nquestion.\n    Mr. Lewis.\n    Mr. Lewis. Can I add a little bit here? It is always fun to \nbe the last one, and I will say that I agree with Paul that \nanything the Europeans do we should probably not do. But your \nquestion is really: would better software assurance be useful? \nAnd the answer is yes. It is, how can the Government push that? \nWhat are the incentives?\n    You might want to think not so much about transparency in \nthe test results or looking at the source code, which is kind \nof a waste of time, but some idea about what are the practices \nthat companies follow that are paying a lot more attention to \nsecurity, what are the best practices, and using the \nacquisitions process to drive that. That is where you have your \nreal leverage in terms of incentives. So there is something of \nvalue there.\n    Mr. Clay. Thank you so much.\n    During this panel we have talked about different methods to \nreduce system vulnerabilities and identify the inherent flaws \nwithin IT systems, including the use of software code \nevaluation. I would like each of you to summarize whether you \nfeel the Federal Government would be an appropriate venue for \nthe development of a new certification model for the evaluation \nof IT products and software. Specifically, should a new \nevaluation tool be developed as a voluntary certification \nprogram for Federal vendors and agency CIOs to use as a \nbenchmark, or seal of approval, in meeting an agency's security \nneed? If successful and efficient, wouldn't this become a tool \nthat could be widely adopted in the private sector as an \nalternative to common criteria?\n    I will begin with you, Mr. Bond.\n    Mr. Bond. My initial reaction is that the frustration I \nthink we have all had with how slowly information security has \nmoved across the Federal Government is some hint to how quickly \nthey might be able to move to get to the certification that you \nare looking for, and that we would be better off relying on a \nfaster-moving, more nimble private sector to figure out what is \nthe best there, what is really working in the marketplace, and \nthen quickly adopting the best practices as much as we can.\n    I would offer another tactical thought, at least for you to \nconsider. We test currently. Under FISMA, we measure whether or \nnot individuals in the agencies are taking courses on awareness \nabout information security. We are not measuring how many of \nthem pass, how many of them retain the information, are they \ncurrent. We are measuring whether or not they were offered a \ncourse.\n    I think pushing actual measurement of the results down \nthrough the Federal enterprise would probably do more.\n    Mr. Clay. Thank you for that suggestion.\n    Mr. Kurtz, please?\n    Mr. Kurtz. I think I would probably come out where Mr. \nLewis is. I think the Government ought to use the power of \nprocurement to encourage vendors to at least talk, to describe \nwhat common best practices they are meeting in order to improve \nsoftware assurance. I think if the Government were to get into \nthe business of establishing that software assurance criteria, \nit would have a chain effect on R&D and investment in this \nspace.\n    I do know that industry is working to identify for itself \nthose common standards, and so I would let the marketplace work \nand then use that in the procurement process to encourage or to \nincentivize vendors to demonstrate to the Federal Government \nthat they have actually met whatever the private sector \nstandard is for software coding, improved software coding.\n    Mr. Clay. Thank you for that response.\n    Mr. Carlson, please?\n    Mr. Carlson. Having some experience developing our own \nproduct certification program, I think there are some important \ncaveats to throw out there. One, it is hard work. It takes a \nlot of time. It is thankless work. You get a lot of push-back \nfrom the vendor community in terms of doing it.\n    I think, in light of Paul's comments in terms of the NIAP \nprocess, the common criteria, some of the challenges it is \nfacing, it is probably not the best tool that you can use. It \nis an important tool, and it would sure be helpful if we had \nsome sort of means by which a company could go through a \nprocess to somehow demonstrate that they are as safe as the \ntest could possibly determine. But I think it is important for \nthe Congress and the administration to keep their eyes on the \nball in terms of the broader picture, that this is just one \ntool of many or one factor out of many that really need to be \nthought about in terms of where do you put the investment to \nsecure an information security program, which is much broader. \nEncryption is a piece of it. Authentication, access controls, \nthe vendor management component of it, the training of users \nand employees--the list is fairly lengthy in terms of how you \ndo it.\n    Software is an important part of it in terms of that \nhackers are very good at going through and deciphering where \nthere are vulnerabilities and then exploiting those codes, so \nthat is an important role that software companies have to play. \nBut it needs to be thought of in conjunction of an entire \ninformation security program, and whatever program the next \nversion of FISMA is needs to take that into account and to be \nmuch more risk based, more performance based in terms of \nkeeping an eye on those risks, because they are going to change \nand you don't want to be solving yesterday's problem in \ntomorrow's reality, which could be a very different equation.\n    Mr. Clay. Thank you for that assessment.\n    Mr. Lewis, you can wrap it up.\n    Mr. Lewis. Thank you. Thank you, Mr. Chairman.\n    It is not a bad idea, but I would say the following things: \nYou want a process that is more flexible, certainly more \nflexible than common criteria, which produced mountains of \npaper over a very long period of time. You want it to be \nindustry driven. It is not that one company or the other has an \nanswer, but, taken as a whole, they know what the state of play \nis, and that is probably the best place to go.\n    You want it to be in partnership with Government, some new \nway of combining something a little less than regulation, a \nlittle more than voluntary effort. You want to look at best \npractices. I would say stay away from certification. But if you \ncan pull all those in, as Mr. Carlson said, if you can pull all \nthose pieces in what is a thankless process together, you can \nget some traction out of it.\n    Thank you.\n    Mr. Clay. Thank you. And let me thank the entire panel for \nyour presence here today. You have certainly added something \nconstructive to this discussion. I appreciate it very much.\n    That concludes this hearing. Thank you all very much.\n    [Whereupon, at 4:40 p.m., the subcommittees were \nadjourned.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"